chore: Bump rand and rustls-webpki, ignore RUSTSEC-2026-0097

dervoeti · dervoeti · commit e7022eb69622 · 2026-04-15T13:09:15.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
   but ignored ([#878]).
 - Document Helm deployed RBAC permissions and remove unnecessary permissions ([#869]).
 - Bump `stackable-operator` to 0.110.0 and `kube` to 3.1.0 ([#878]).
+- Bump `rand` to 0.9.4 and `rustls-webpki` to 0.103.12 to clear recent advisories, ignore RUSTSEC-2026-0097 ([#878]).
 
 ### Fixed
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/deny.toml b/deny.toml
@@ -38,6 +38,25 @@ ignore = [
     #
     # This can only be removed again if we decide to use a different crate.
     "RUSTSEC-2024-0436",
+
+    # https://rustsec.org/advisories/RUSTSEC-2026-0097
+    # "rand" crate: unsound with a custom logger using `rand::rng()`
+    #
+    # Triggering the UB requires all of the following to hold at once:
+    #   - rand is built with the `log` and `thread_rng` features enabled
+    #   - a custom `log::Log` implementation is installed that calls
+    #     `rand::rng()` and invokes `TryRng`/`RngCore` methods on `ThreadRng`
+    #   - that `ThreadRng` reseeds while being called from the logger
+    #   - trace-level logging is enabled (or warn-level when `getrandom` fails)
+    #
+    # In our build the `log` feature of `rand` is not enabled (see Cargo.lock:
+    # `rand 0.8.5` only depends on `rand_chacha` and `rand_core`, not `log`),
+    # so the first precondition cannot be met and the unsoundness is unreachable.
+    #
+    # The affected `rand 0.8.5` is a transitive dependency via the `rsa` crate.
+    # As of 2026-04-15, no stable `rsa` release has dropped a fixed version
+    # of `rand` yet.
+    "RUSTSEC-2026-0097",
 ]
 
 [bans]
