From b87f59b2a8504b0bce669933e3fd9a2ea6817f9b Mon Sep 17 00:00:00 2001 From: Vitalii Parfonov Date: Wed, 8 Apr 2026 16:38:21 +0300 Subject: [PATCH] fix(deps): upgrade quinn-proto to 0.11.14 to patch CVE-2026-31812 Upgrades quinn-proto from 0.11.9 to 0.11.14 which fixes a remote denial of service vulnerability (CVE-2026-31812). The vulnerability allowed unauthenticated attackers to trigger a panic in the QUIC transport parameter parsing by sending a crafted Initial packet with malformed varint encodings. The fix replaces unsafe unwrap() calls with proper error handling. Fixes: CVE-2026-31812 Co-Authored-By: Claude Haiku 4.5 --- Cargo.lock | 53 +++++++++++++++++++++++++---------------------------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f4d017832d237..c5f09ea134ca1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4024,8 +4024,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8" dependencies = [ "cfg-if", + "js-sys", "libc", "wasi 0.13.3+wasi-0.2.2", + "wasm-bindgen", "windows-targets 0.52.6", ] @@ -5391,10 +5393,11 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.65" +version = "0.3.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54c0c35952f67de54bb584e9fd912b3023117cbafc0a77d8f3dee1fb5f572fe8" +checksum = "2e04e2ef80ce82e13552136fabeef8a5ed1f985a96805761cbb9a2c34e7664d9" dependencies = [ + "once_cell", "wasm-bindgen", ] @@ -5872,6 +5875,12 @@ dependencies = [ "linked-hash-map", ] +[[package]] +name = "lru-slab" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154" + [[package]] name = "lua-src" version = "547.0.0" @@ -8058,13 +8067,14 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.9" +version = "0.11.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a2fe5ef3495d7d2e377ff17b1a8ce2ee2ec2a18cde8b6ad6619d65d0701c135d" +checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" dependencies = [ "bytes 1.10.1", - "getrandom 0.2.15", - "rand 0.8.5", + "getrandom 0.3.1", + "lru-slab", + "rand 0.9.1", "ring", "rustc-hash", "rustls 0.23.23", @@ -12200,27 +12210,14 @@ checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b" [[package]] name = "wasm-bindgen" -version = "0.2.100" +version = "0.2.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5" +checksum = "0551fc1bb415591e3372d0bc4780db7e587d84e2a7e79da121051c5c4b89d0b0" dependencies = [ "cfg-if", "once_cell", "rustversion", "wasm-bindgen-macro", -] - -[[package]] -name = "wasm-bindgen-backend" -version = "0.2.100" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6" -dependencies = [ - "bumpalo", - "log", - "proc-macro2 1.0.95", - "quote 1.0.40", - "syn 2.0.101", "wasm-bindgen-shared", ] @@ -12238,9 +12235,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.100" +version = "0.2.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407" +checksum = "7fbdf9a35adf44786aecd5ff89b4563a90325f9da0923236f6104e603c7e86be" dependencies = [ "quote 1.0.40", "wasm-bindgen-macro-support", @@ -12248,22 +12245,22 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.100" +version = "0.2.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de" +checksum = "dca9693ef2bab6d4e6707234500350d8dad079eb508dca05530c85dc3a529ff2" dependencies = [ + "bumpalo", "proc-macro2 1.0.95", "quote 1.0.40", "syn 2.0.101", - "wasm-bindgen-backend", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.100" +version = "0.2.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d" +checksum = "39129a682a6d2d841b6c429d0c51e5cb0ed1a03829d8b3d1e69a011e62cb3d3b" dependencies = [ "unicode-ident", ]