ZENOTME opened a new pull request, #1050:
URL: https://github.com/apache/iceberg-rust/pull/1050
## Which issue does this PR close?
<!--
We generally require a GitHub issue to be filed for all bug fixes and
enhancements and this helps us generate change logs for our releases. You can
link an issue to this PR using the GitHub syntax. For example `Closes #123`
indicates that this PR will close issue #123.
-->
- Closes #.
## What changes are included in this PR?
<!--
Provide a summary of the modifications in this PR. List the main changes
such as new features, bug fixes, refactoring, or any other updates.
-->
Seems the ring has been detected overflow problem. This PR upgrade it to fix.
Info from cargo audit:
```
/home/runner/.cargo/bin/cargo audit --json --file ./Cargo.lock
{"database":{"advisory-count":735,"last-commit":"4f5cae00f0c77b753750451b0ed2ea0cce97458b","last-updated":"2025-03-06T14:44:11-07:00"},"lockfile":{"dependency-count":644},"settings":{"target_arch":[],"target_os":[],"severity":null,"ignore":["RUSTSEC-2023-0071","RUSTSEC-2024-0388"],"informational_warnings":["unmaintained","unsound","notice"]},"vulnerabilities":{"found":true,"count":1,"list":[{"advisory":{"id":"RUSTSEC-2025-0009","package":"ring","title":"Some
AES functions may panic when overflow checking is
enabled.","description":"`ring::aead::quic::HeaderProtectionKey::new_mask()`
may panic when overflow\nchecking is enabled. In the QUIC protocol, an attacker
can induce this panic by\nsending a specially-crafted packet. Even
unintentionally it is likely to occur\nin 1 out of every 2**32 packets sent
and/or received.\n\nOn 64-bit targets operations using
`ring::aead::{AES_128_GCM, AES_256_GCM}` may\npanic when overflow checking is
enabled, when encrypting/decrypting approximate
ly\n68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk.
Protocols\nlike TLS and SSH are not affected by this because those protocols
break large\namounts of data into small chunks. Similarly, most applications
will not\nattempt to encrypt/decrypt 64GB of data in one chunk.\n\nOverflow
checking is not enabled in release mode by default, but\n`RUSTFLAGS=\"-C
overflow-checks\"` or `overflow-checks = true` in the Cargo.toml\nprofile can
override this. Overflow checking is usually enabled by default in\ndebug
mode.","date":"2025-03-06","aliases":[],"related":[],"collection":"crates","categories":["denial-of-service"],"keywords":[],"cvss":null,"informational":null,"references":[],"source":null,"url":"https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05","withdrawn":null,"license":"CC0-1.0"},"versions":{"patched":[";>=0.17.12"],"unaffected":[]},"affected":null,"package":{"name":"ring","version":"0.17.9","source":"registry+https://github.com/rust
-lang/crates.io-index","checksum":"e75ec5e92c4d8aede845126adc388046234541629e76029599ed35a003c7ed24","dependencies":
```
## Are these changes tested?
<!--
Specify what test covers (unit test, integration test, etc.).
If tests are not included in your PR, please explain why (for example, are
they covered by existing tests)?
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
