fix(audit): bump quinn-proto + ignore rmcp DNS-rebinding advisory #97

Merged
sharang merged 1 commits from fix/audit-quinn-rmcp-ignore into main 2026-06-30 16:07:01 +00:00
Owner

Summary

Two new RUSTSEC advisories landed between 2026-06-18 (last green CI run on M7.3 branches) and 2026-06-30 that started failing every PR's cargo audit step. This PR unblocks the M7.3 merge train (#96, #94).

Changes

  • RUSTSEC-2026-0185quinn-proto 0.11.140.11.15 via cargo update -p quinn-proto. Patch release, no API change.
  • RUSTSEC-2026-0189rmcp 0.16.0 DNS rebinding in Streamable HTTP server transport. Patched in >= 1.4.0 but that's a major API jump (rmcp shipped 0.x → 1.x → 2.x in three months). Added to .cargo/audit.toml ignore list with the threat-model justification: our MCP server is a public-hostname deployment behind orca's TLS-terminating ingress with per-tenant bearer auth (just landed in #92). Browser DNS-rebinding into a victim's localhost MCP server doesn't apply here.

Follow-up

A dedicated PR will migrate rmcp 0.16 → 2.x and remove RUSTSEC-2026-0189 from the ignore list. Sized multi-hour due to API surface change — not blocking M7.3 close.

Test plan

  • cargo audit clean locally — no error: N vulnerabilities found, 8 allowed warnings (unchanged)
  • No code changes; existing test suite unaffected

🤖 Generated with Claude Code

## Summary Two new RUSTSEC advisories landed between 2026-06-18 (last green CI run on M7.3 branches) and 2026-06-30 that started failing every PR's `cargo audit` step. This PR unblocks the M7.3 merge train (#96, #94). ## Changes - **RUSTSEC-2026-0185** — `quinn-proto 0.11.14` → `0.11.15` via `cargo update -p quinn-proto`. Patch release, no API change. - **RUSTSEC-2026-0189** — `rmcp 0.16.0` DNS rebinding in Streamable HTTP server transport. Patched in `>= 1.4.0` but that's a major API jump (rmcp shipped 0.x → 1.x → 2.x in three months). Added to `.cargo/audit.toml` ignore list with the threat-model justification: our MCP server is a public-hostname deployment behind orca's TLS-terminating ingress with per-tenant bearer auth (just landed in #92). Browser DNS-rebinding into a victim's localhost MCP server doesn't apply here. ## Follow-up A dedicated PR will migrate `rmcp 0.16 → 2.x` and remove RUSTSEC-2026-0189 from the ignore list. Sized multi-hour due to API surface change — not blocking M7.3 close. ## Test plan - [x] `cargo audit` clean locally — no `error: N vulnerabilities found`, 8 allowed warnings (unchanged) - [x] No code changes; existing test suite unaffected 🤖 Generated with [Claude Code](https://claude.com/claude-code)
sharang added 1 commit 2026-06-30 15:49:02 +00:00
fix(audit): bump quinn-proto + ignore rmcp DNS-rebinding advisory
CI / Check (pull_request) Successful in 8m1s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
fce9f1cbf1
Two new RUSTSEC advisories landed between 2026-06-18 and 2026-06-30
that started failing every PR's `cargo audit` step:

- RUSTSEC-2026-0185 (quinn-proto 0.11.14): remote memory exhaustion via
  unbounded out-of-order stream reassembly. Patched in 0.11.15 (semver-
  compatible). `cargo update -p quinn-proto`, no API change.

- RUSTSEC-2026-0189 (rmcp 0.16.0): DNS rebinding in Streamable HTTP
  server transport due to missing Host-header validation. Patched in
  rmcp >= 1.4.0, which is a major API jump from our pin (rmcp shipped
  0.x -> 1.x -> 2.x in three months and the migration touches every
  tool handler + the auth middleware just landed in #92).

  Added to ignore with justification: our MCP server is exposed at a
  public hostname behind orca's TLS-terminating ingress with per-tenant
  bearer auth. The attack model (browser DNS-rebinding into a victim's
  localhost MCP server) doesn't apply to a public-hostname deployment.
  Defense-in-depth Host-header validation remains worthwhile, tracked
  as a multi-hour M7.3 follow-up to migrate rmcp 0.16 -> 2.x.

Unblocks #96 and #94.
sharang merged commit e9536b6d98 into main 2026-06-30 16:07:01 +00:00
Sign in to join this conversation.
No Reviewers
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#97