[I] RUSTSEC-2026-0104: Reachable panic in certificate revocation list parsing [iceberg-rust]

via GitHub Wed, 22 Apr 2026 18:00:54 -0700


github-actions[bot] opened a new issue, #2357:
URL: https://github.com/apache/iceberg-rust/issues/2357


   
   > Reachable panic in certificate revocation list parsing
   
   | Details             |                                                |
   | ------------------- | ---------------------------------------------- |
   | Package             | `rustls-webpki`                      |
   | Version             | `0.103.12`                   |
   | Date                | 2026-04-22                         |
   | Patched versions    | `>=0.103.13, <0.104.0-alpha.1,>=0.104.0-alpha.7`     
             |
   
   A panic was reachable when parsing certificate revocation lists via 
[`BorrowedCertRevocationList::from_der`]
   or [`OwnedCertRevocationList::from_der`].  This was the result of 
mishandling a syntactically valid empty
   `BIT STRING` appearing in the `onlySomeReasons` element of a 
`IssuingDistributionPoint` CRL extension.
   
   This panic is reachable prior to a CRL&#39;s signature being verified.
   
   Applications that do not use CRLs are not affected.
   
   Thank you to @tynus3 for the report.
   
   See [advisory page](https://rustsec.org/advisories/RUSTSEC-2026-0104.html) 
for additional details.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[I] RUSTSEC-2026-0104: Reachable panic in certificate revocation list parsing [iceberg-rust]

Reply via email to