Update Patched Fix openssl X509StoreRef::objects is unsound

[bangtabil]

This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back.

Use of this function should be replaced with X509StoreRef::all_certificates.

[coveralls-official]

Pull Request Test Coverage Report for Build 8423840451

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.07%) to 94.427%

---

Totals
Change from base Build 8310295107:	0.07%
Covered Lines:	5761
Relevant Lines:	6101

---

💛 - Coveralls

[Rigidity]

Hey, I don't quite follow this - there aren't any code changes other than a version bump in the lockfile, so I'm not sure if this would actually fix the mentioned issue?

We only work with certificates in the chia-ssl crate of chia_rs, and I don't think we use the X509StoreRef::objects method.

[Rigidity]

I see, the relevant issue is sfackler/rust-openssl#2096?

Looks like CI is failing, so will have to look into that. And ideally bump whichever crate indirectly depends on OpenSSL as well.

[arvidn]

this should also be addressed in the Cargo.toml file, right?
Also, once addressed, we should remove this exception: https://github.com/Chia-Network/clvm_rs/blob/main/.github/workflows/dependency-review.yml#L22C24-L22C43

[bangtabil]

Hi Team @Rigidity,

Thank you for your respond. bellow I provide additional information.

You can see at #394 that Chia-Network is using the vulnerable version "0.10.55".

[bangtabil]

I updated some packages to avoid the attacks I listed. I hope in the future. this version is always updated. because every vulnerability will exist every year. according to CVE / CWE standards.

[jack60612]

thanks for your contribution, this was merged into one big pr and included

[jack60612]

Thanks! Included in #435.