fix(audit): bump quinn-proto + ignore rmcp DNS-rebinding advisory (#97)
CI / Check (push) Has been skipped
CI / Detect Changes (push) Successful in 3s
CI / Deploy Agent (push) Successful in 3m55s
CI / Deploy Dashboard (push) Successful in 2m44s
CI / Deploy Docs (push) Has been skipped
CI / Deploy MCP (push) Successful in 1m50s
CI / Check (push) Has been skipped
CI / Detect Changes (push) Successful in 3s
CI / Deploy Agent (push) Successful in 3m55s
CI / Deploy Dashboard (push) Successful in 2m44s
CI / Deploy Docs (push) Has been skipped
CI / Deploy MCP (push) Successful in 1m50s
RUSTSEC-2026-0185 (quinn-proto 0.11.14): patch-bump to 0.11.15. RUSTSEC-2026-0189 (rmcp 0.16 DNS rebinding): added to ignore with public-hostname + bearer-auth threat-model justification; rmcp 0.16->2.x migration tracked as a separate multi-hour PR.
This commit was merged in pull request #97.
This commit is contained in:
@@ -7,4 +7,17 @@ ignore = [
|
|||||||
# not a realistic attack surface here. Revisit when mongodb bumps hickory.
|
# not a realistic attack surface here. Revisit when mongodb bumps hickory.
|
||||||
"RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
|
"RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
|
||||||
"RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
|
"RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
|
||||||
|
|
||||||
|
# rmcp 0.16.0 — DNS rebinding in Streamable HTTP server transport (missing
|
||||||
|
# Host header validation). Patched in rmcp >= 1.4.0, which is a major API
|
||||||
|
# version jump from our pin; rmcp shipped 0.x → 1.x → 2.x in three months
|
||||||
|
# and the migration touches every tool handler + the auth middleware we
|
||||||
|
# just landed in #92. Threat model in our deployment: the MCP server is
|
||||||
|
# exposed at a public hostname (comp-mcp-dev.meghsakha.com) behind orca's
|
||||||
|
# TLS-terminating ingress with per-tenant bearer auth — the attack model
|
||||||
|
# (browser DNS-rebinding into localhost MCP server) doesn't directly apply.
|
||||||
|
# Defense-in-depth Host-header check is still a worthwhile follow-up.
|
||||||
|
# FOLLOW-UP: bump rmcp to 2.x in a dedicated PR (M7.3 follow-up, sized
|
||||||
|
# multi-hour due to API surface change).
|
||||||
|
"RUSTSEC-2026-0189",
|
||||||
]
|
]
|
||||||
|
|||||||
Generated
+2
-2
@@ -4282,9 +4282,9 @@ dependencies = [
|
|||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "quinn-proto"
|
name = "quinn-proto"
|
||||||
version = "0.11.14"
|
version = "0.11.15"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
|
checksum = "4fcb935c5bec503c2f0e306bdd3e58bb9029dcb14fa8d9ac76e3a5256ac0763e"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"bytes",
|
"bytes",
|
||||||
"getrandom 0.3.4",
|
"getrandom 0.3.4",
|
||||||
|
|||||||
Reference in New Issue
Block a user