Deps.rs

openssl-sys 0.9.112

[![dependency status](https://deps.rs/crate/openssl-sys/0.9.112/status.svg)](https://deps.rs/crate/openssl-sys/0.9.112)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate openssl-sys

Dependencies

(4 total, 1 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 aws-lc-fips-sys ⚠️^0.130.13.14maybe insecure
 aws-lc-sys ⚠️^0.380.41.0out of date
 bssl-sys^0.1.00.1.0up to date
 libc^0.20.2.186up to date

Security Vulnerabilities

aws-lc-fips-sys: CRL Distribution Point Scope Check Logic Error in AWS-LC

RUSTSEC-2026-0042

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions.

Customers of AWS services do not need to take action. aws-lc-fips-sys contains code from AWS-LC. Applications using aws-lc-fips-sys should upgrade to the most recent release of aws-lc-fips-sys.

Workarounds

Applications can workaround this issue if they do not enable CRL checking (X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected.

Otherwise, there is no workaround and applications using aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-fips-sys.

aws-lc-sys: AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN

RUSTSEC-2026-0044

A logic error in CN (Common Name) validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid DNS identifiers, causing NAME_CONSTRAINTS_check_CN to skip validation. However, X509_check_host accepts these CN values when no dNSName SAN is present, allowing certificates to bypass name constraints while still being used for hostname verification.

Customers of AWS services do not need to take action. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Workarounds

Applications that set X509_CHECK_FLAG_NEVER_CHECK_SUBJECT to disable CN fallback are not affected. Applications that only encounter certificates with dNSName SANs (standard for public WebPKI) are also not affected.

Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.

aws-lc-sys: CRL Distribution Point Scope Check Logic Error in AWS-LC

RUSTSEC-2026-0048

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Workarounds

Applications can workaround this issue if they do not enable CRL checking (X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected.

Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.