Update Rust crate openssl to v0.10.70 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
openssl	dependencies	patch	=0.10.68 -> =0.10.70

GitHub Vulnerability Alerts

CVE-2025-24898

Impact

ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

Patches

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

Workarounds

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

References

https://github.com/sfackler/rust-openssl/pull/2360

---

Release Notes

sfackler/rust-openssl (openssl)

v0.10.70: openssl v0.10.70

Compare Source

What's Changed

• Attempt to fix CI by pinning to the Ubuntu 22.04 image by @​alex in https://github.com/sfackler/rust-openssl/pull/2357
• Remove EC_METHOD and EC_GROUP_new for LibreSSL 4.1 by @​botovq in https://github.com/sfackler/rust-openssl/pull/2356
• Test against 3.4.0 final release by @​alex in https://github.com/sfackler/rust-openssl/pull/2359
• Expose SslMethod::{dtls_client,dtls_server} by @​alex in https://github.com/sfackler/rust-openssl/pull/2358
• Fix lifetimes in ssl::select_next_proto by @​sfackler in https://github.com/sfackler/rust-openssl/pull/2360

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.69...openssl-v0.10.70

v0.10.69: openssl v0.10.69

Compare Source

What's Changed

• build(deps): Update openssl-macro to version 0.1.1 by @​caspermeijn in https://github.com/sfackler/rust-openssl/pull/2324
• Enable set_alpn_select_callback for BoringSSL by @​ViktoriiaKovalova in https://github.com/sfackler/rust-openssl/pull/2327
• Switch the test to use prime256v1 based key by @​dcermak in https://github.com/sfackler/rust-openssl/pull/2330
• Expose EVP_DigestSqueeze from Hasher by @​initsecret in https://github.com/sfackler/rust-openssl/pull/2275
• Expose SSL_CTX_load_verify_locations by @​sfackler in https://github.com/sfackler/rust-openssl/pull/2353

New Contributors

• @​caspermeijn made their first contribution in https://github.com/sfackler/rust-openssl/pull/2324
• @​ViktoriiaKovalova made their first contribution in https://github.com/sfackler/rust-openssl/pull/2327

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.68...openssl-v0.10.69

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.