fix: update openssl to resolve CVEs by dannyneira · Pull Request #1 · warpdotdev/power-fixer

dannyneira · 2026-05-30T16:05:26Z

Summary

Updated Rust transitive dependency openssl from 0.10.75 to 0.10.80 in Cargo.lock.
Updated openssl-sys from 0.9.111 to 0.9.116 as part of the lockfile refresh.
Resolves the open Dependabot alerts for:

CVE-2026-42327 / GHSA-xp3w-r5p5-63rr: rust-openssl undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
- Advisory: GHSA-xp3w-r5p5-63rr
CVE-2026-44662 / GHSA-xv59-967r-8726: rust-openssl heap buffer overflow when encrypting with AES key-wrap-with-padding
- Advisory: GHSA-xv59-967r-8726
CVE-2026-45784 / GHSA-phqj-4mhp-q6mq: rust-openssl potential out-of-bounds write in CipherCtxRef::cipher_update_inplace for AES-KW-PAD ciphers
- Advisory: GHSA-phqj-4mhp-q6mq

This is a transitive dependency update; no source changes were required.
No Dependabot error was present for these alerts.
cargo audit --json no longer reports openssl or the selected CVEs. Plain cargo audit still exits nonzero for unrelated advisories in bytes, rustls-webpki, and time that were not part of this selected alert batch.

cargo fmt --check
cargo check
cargo build
cargo test
cargo audit --json checked for absence of openssl / CVE-2026-42327 / CVE-2026-44662 / CVE-2026-45784

Co-Authored-By: Oz <oz-agent@warp.dev>

fix: update openssl to resolve CVEs

631305c

Co-Authored-By: Oz <oz-agent@warp.dev>

dannyneira requested a review from bholmesdev May 30, 2026 16:05

dannyneira marked this pull request as ready for review May 31, 2026 16:05