fix(audit): bump quinn-proto + ignore rmcp DNS-rebinding advisory
CI / Check (pull_request) Successful in 8m1s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped

Two new RUSTSEC advisories landed between 2026-06-18 and 2026-06-30
that started failing every PR's `cargo audit` step:

- RUSTSEC-2026-0185 (quinn-proto 0.11.14): remote memory exhaustion via
  unbounded out-of-order stream reassembly. Patched in 0.11.15 (semver-
  compatible). `cargo update -p quinn-proto`, no API change.

- RUSTSEC-2026-0189 (rmcp 0.16.0): DNS rebinding in Streamable HTTP
  server transport due to missing Host-header validation. Patched in
  rmcp >= 1.4.0, which is a major API jump from our pin (rmcp shipped
  0.x -> 1.x -> 2.x in three months and the migration touches every
  tool handler + the auth middleware just landed in #92).

  Added to ignore with justification: our MCP server is exposed at a
  public hostname behind orca's TLS-terminating ingress with per-tenant
  bearer auth. The attack model (browser DNS-rebinding into a victim's
  localhost MCP server) doesn't apply to a public-hostname deployment.
  Defense-in-depth Host-header validation remains worthwhile, tracked
  as a multi-hour M7.3 follow-up to migrate rmcp 0.16 -> 2.x.

Unblocks #96 and #94.
This commit is contained in:
Sharang Parnerkar
2026-06-30 17:48:42 +02:00
parent a3a96fe2cc
commit fce9f1cbf1
2 changed files with 15 additions and 2 deletions
Generated
+2 -2
View File
@@ -4282,9 +4282,9 @@ dependencies = [
[[package]]
name = "quinn-proto"
version = "0.11.14"
version = "0.11.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
checksum = "4fcb935c5bec503c2f0e306bdd3e58bb9029dcb14fa8d9ac76e3a5256ac0763e"
dependencies = [
"bytes",
"getrandom 0.3.4",