High severity8.4NVD Advisory· Published May 27, 2026
CVE-2026-45108
CVE-2026-45108
Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authentication bypass in Himmelblau's DAG flow (2.0.0–2.3.10, 3.0.0–3.1.4) lets an attacker in the same Entra domain impersonate another user on the local Unix session.
Vulnerability
Himmelblau versions 2.0.0 through before 2.3.11 and 3.0.0 through before 3.1.5 contain an authentication bypass in the Device Authorization Grant (DAG) flow. The token_validate function correctly validates domain aliases for multi-domain scenarios but fails to verify the local part (username) of the authenticated user's User Principal Name (UPN) against the requested account username. Only the domain portion is compared. This allows a user in the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability is exploitable when enable_experimental_mfa = false (non-default) or when MFA falls back to DAG after interruption [1].
Exploitation
An attacker must be a user within the same configured Entra ID domain (e.g., both alice@example.com and bob@example.com). They cannot be an external user from a different domain. In a typical attack, the victim locks their workstation, which displays a QR code for DAG authentication. The attacker scans the QR code, authenticates with their own Entra ID credentials via the DAG flow, and receives a valid token. Since the token's UPN domain matches but the username part is not checked, Himmelblau grants the attacker a local Unix session as the victim user [1].
Impact
On success, the attacker gains local access to the victim's files, home directory, and Unix session. However, the underlying Entra token remains the attacker's own — they do not gain access to the victim's Entra account, SSO sessions, cloud resources, or Azure services. The compromise is limited to local session impersonation within the same domain and only via the DAG authentication flow. Hello PIN authentication is unaffected [1].
Mitigation
The vulnerability is fixed in Himmelblau versions 2.3.11 and 3.1.5, released on 2026-05-27 [1]. Users should upgrade to these versions immediately. No workaround has been published. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=2.0.0,<2.3.11 || >=2.0.0,<3.1.5+ 1 more
- (no CPE)range: >=2.0.0,<2.3.11 || >=2.0.0,<3.1.5
- (no CPE)range: >=2.0.0, <3.1.5
Patches
114933756a0dc2Reject auth when token spn local part differs from requested account_id
https://github.com/himmelblau-idm/himmelblauChristian CadruviApr 28, 2026Fixed in 2.3.11via llm-release-walk
1 file changed · +8 −3
src/common/src/idprovider/himmelblau.rs+8 −3 modified@@ -3043,17 +3043,22 @@ impl HimmelblauProvider { if account_id.to_string().to_lowercase() != spn.to_string().to_lowercase() { /* Fixes bug#801: The authenticated user might have a mis-matched * response because the domains are aliases of one another. + * Both the local part AND the domains must match — otherwise a + * different user authenticating in the same tenant would be + * silently accepted (e.g. user2 unlocking user1's locked screen + * via a passkey QR scan). */ let mut cfg = self.config.write().await; - let (_, domain1) = split_username(account_id).ok_or({ + let (local1, domain1) = split_username(account_id).ok_or_else(|| { error!("Failed splitting account_id username"); IdpError::BadRequest })?; - let (_, domain2) = split_username(&spn).ok_or({ + let (local2, domain2) = split_username(&spn).ok_or_else(|| { error!("Failed splitting spn username"); IdpError::BadRequest })?; - if !cfg.domains_are_aliases(domain1, domain2).await { + let domains_match = cfg.domains_are_aliases(domain1, domain2).await; + if local1.to_lowercase() != local2.to_lowercase() || !domains_match { let msg = format!("Authenticated user {} does not match requested user", uuid); error!(msg);
ba52c3df7a46Reject auth when token spn local part differs from requested account_id
https://github.com/himmelblau-idm/himmelblauChristian CadruviApr 28, 2026Fixed in 3.1.5via llm-release-walk
1 file changed · +9 −5
src/common/src/idprovider/himmelblau.rs+9 −5 modified@@ -4361,22 +4361,26 @@ impl HimmelblauProvider { if account_id.to_string().to_lowercase() != spn.to_string().to_lowercase() { /* Fixes bug#801: The authenticated user might have a mis-matched * response because the domains are aliases of one another. + * Both the local part AND the domains must match — otherwise a + * different user authenticating in the same tenant would be + * silently accepted (e.g. user2 unlocking user1's locked screen + * via a passkey QR scan). */ - let (_, domain1) = split_username(account_id).ok_or({ + let (local1, domain1) = split_username(account_id).ok_or_else(|| { error!("Failed splitting account_id username"); IdpError::BadRequest })?; - let (_, domain2) = split_username(&spn).ok_or({ + let (local2, domain2) = split_username(&spn).ok_or_else(|| { error!("Failed splitting spn username"); IdpError::BadRequest })?; - if !self + let domains_match = self .config .lock() .await .domains_are_aliases(domain1, domain2) - .await - { + .await; + if local1.to_lowercase() != local2.to_lowercase() || !domains_match { let msg = format!("Authenticated user {} does not match requested user", uuid); error!(msg);
445569d9eae4cargo audit
https://github.com/himmelblau-idm/himmelblauDavid MulderMay 7, 2026Fixed in 3.1.5via llm-release-walk
2 files changed · +39 −12
Cargo.lock+12 −12 modified@@ -346,7 +346,7 @@ dependencies = [ "memoffset 0.8.0", "openssl", "openssl-sys", - "rand 0.8.5", + "rand 0.8.6", "runloop", "serde", "serde_bytes", @@ -1114,7 +1114,7 @@ dependencies = [ "p521", "pbkdf2", "pkcs8", - "rand 0.8.5", + "rand 0.8.6", "rsa", "sec1", "serde", @@ -3294,7 +3294,7 @@ dependencies = [ "num-integer", "num-iter", "num-traits", - "rand 0.8.5", + "rand 0.8.6", "smallvec", "zeroize", ] @@ -3386,7 +3386,7 @@ dependencies = [ "chrono", "getrandom 0.2.16", "http", - "rand 0.8.5", + "rand 0.8.6", "reqwest 0.12.24", "serde", "serde_json", @@ -3440,7 +3440,7 @@ dependencies = [ "oauth2", "p256", "p384", - "rand 0.8.5", + "rand 0.8.6", "rsa", "serde", "serde-value", @@ -4147,9 +4147,9 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.12" +version = "0.11.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49df843a9161c85bb8aae55f101bc0bac8bcafd637a620d9122fd7e0b2f7422e" +checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" dependencies = [ "aws-lc-rs", "bytes", @@ -4198,9 +4198,9 @@ checksum = "74765f6d916ee2faa39bc8e68e4f3ed8949b48cccdac59983d287a7cb71ce9c5" [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "libc", "rand_chacha 0.3.1", @@ -4624,9 +4624,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f" [[package]] name = "rustls-webpki" -version = "0.103.10" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "aws-lc-rs", "ring", @@ -5006,7 +5006,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "88e79009728d8311d42d754f2f319a975f9e38f156fd5e422d2451486c78b286" dependencies = [ "base64ct", - "rand 0.8.5", + "rand 0.8.6", "sha2 0.10.9", "subtle", ]
supply-chain/imports.lock+27 −0 modified@@ -1965,6 +1965,18 @@ criteria = "safe-to-deploy" delta = "0.10.0 -> 0.10.1" notes = "Minor logging-based updated fixing a recent advisory for the crate." +[[audits.bytecode-alliance.audits.rustls-webpki]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.103.10 -> 0.103.12" +notes = "Minor updates to address recent vulnerabilities, nothing awry." + +[[audits.bytecode-alliance.audits.rustls-webpki]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.103.12 -> 0.103.13" +notes = "Minor fixes for the bug being fixed in this release, nothing awry." + [[audits.bytecode-alliance.audits.semver]] who = "Pat Hickey <phickey@fastly.com>" criteria = "safe-to-deploy" @@ -3159,6 +3171,11 @@ who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" delta = "0.3.32 -> 0.3.33" +[[audits.himmelblau.audits.quinn-proto]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.11.12 -> 0.11.14" + [[audits.himmelblau.audits.rpassword]] who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" @@ -4417,6 +4434,16 @@ criteria = "safe-to-deploy" delta = "0.5.12 -> 0.5.13" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.rand]] +who = "Henrik Skupin <mail@hskupin.info>" +criteria = "safe-to-deploy" +delta = "0.8.5 -> 0.8.6" +notes = """ +Fixes RUSTSEC-2026-0097 by removing `log` dependency. Removes `simd_support` +feature. No new dependencies or unsafe code. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.rusqlite]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy"
e3f70dd1562ecargo vet
https://github.com/himmelblau-idm/himmelblauDavid MulderMay 7, 2026Fixed in 3.1.5via llm-release-walk
3 files changed · +346 −307
supply-chain/audits.toml+25 −0 modified@@ -219,6 +219,11 @@ who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" delta = "0.11.0-rc.11 -> 0.11.0" +[[audits.digest]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.11.0 -> 0.11.0-rc.12" + [[audits.digest]] who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" @@ -419,6 +424,11 @@ who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.1" +[[audits.pastey]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.2.1 -> 0.2.2" + [[audits.pem]] who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" @@ -429,6 +439,11 @@ who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.4" +[[audits.pkcs5]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +version = "0.7.1" + [[audits.rand_core]] who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" @@ -474,11 +489,21 @@ who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" delta = "0.103.6 -> 0.103.10" +[[audits.salsa20]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +version = "0.10.2" + [[audits.scraper]] who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy" version = "0.25.0" +[[audits.scrypt]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +version = "0.11.0" + [[audits.security-framework]] who = "David Mulder <dmulder@samba.org>" criteria = "safe-to-deploy"
supply-chain/config.toml+3 −16 modified@@ -19,6 +19,9 @@ url = "https://raw.githubusercontent.com/fermyon/spin/main/supply-chain/audits.t [imports.google] url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" +[imports.himmelblau] +url = "https://raw.githubusercontent.com/himmelblau-idm/himmelblau/refs/heads/main/supply-chain/audits.toml" + [imports.isrg] url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" @@ -457,10 +460,6 @@ criteria = "safe-to-deploy" version = "1.0.4" criteria = "safe-to-deploy" -[[exemptions.lazycell]] -version = "1.3.0" -criteria = "safe-to-deploy" - [[exemptions.lber]] version = "0.4.2" criteria = "safe-to-deploy" @@ -641,10 +640,6 @@ criteria = "safe-to-deploy" version = "0.8.5" criteria = "safe-to-deploy" -[[exemptions.picky-asn1]] -version = "0.8.0" -criteria = "safe-to-deploy" - [[exemptions.picky-asn1]] version = "0.10.1" criteria = "safe-to-deploy" @@ -653,10 +648,6 @@ criteria = "safe-to-deploy" version = "0.4.1" criteria = "safe-to-deploy" -[[exemptions.picky-asn1-x509]] -version = "0.12.0" -criteria = "safe-to-deploy" - [[exemptions.pin-project]] version = "1.1.10" criteria = "safe-to-deploy" @@ -937,10 +928,6 @@ criteria = "safe-to-deploy" version = "1.0.1" criteria = "safe-to-deploy" -[[exemptions.which]] -version = "4.3.0" -criteria = "safe-to-deploy" - [[exemptions.winapi]] version = "0.3.9" criteria = "safe-to-deploy"
supply-chain/imports.lock+318 −291 modified@@ -3,7 +3,7 @@ [[unpublished.sshkey-attest]] version = "0.5.999" -audited_as = "0.5.4" +audited_as = "0.5.5" [[publisher.aho-corasick]] version = "1.1.3" @@ -13,22 +13,22 @@ user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.anstream]] -version = "0.6.18" -when = "2024-11-04" +version = "1.0.0" +when = "2026-02-11" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle]] -version = "1.0.10" -when = "2024-11-01" +version = "1.0.14" +when = "2026-03-13" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-parse]] -version = "0.2.6" -when = "2024-10-24" +version = "1.0.0" +when = "2026-02-11" user-id = 6743 user-login = "epage" user-name = "Ed Page" @@ -76,8 +76,15 @@ user-login = "jschanck" user-name = "John Schanck" [[publisher.base64urlsafedata]] -version = "0.5.4" -when = "2025-12-10" +version = "0.5.5" +when = "2026-04-30" +user-id = 31100 +user-login = "Firstyear" +user-name = "Firstyear" + +[[publisher.base64urlsafedata]] +version = "0.6.1-dev" +when = "2026-04-30" user-id = 31100 user-login = "Firstyear" user-name = "Firstyear" @@ -110,29 +117,29 @@ user-login = "emilio" user-name = "Emilio Cobos Álvarez" [[publisher.clap]] -version = "4.5.60" -when = "2026-02-19" +version = "4.6.1" +when = "2026-04-15" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_builder]] -version = "4.5.60" -when = "2026-02-19" +version = "4.6.0" +when = "2026-03-12" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_complete]] -version = "4.5.66" -when = "2026-02-11" +version = "4.6.3" +when = "2026-04-27" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_derive]] -version = "4.5.55" -when = "2026-01-27" +version = "4.6.1" +when = "2026-04-15" user-id = 6743 user-login = "epage" user-name = "Ed Page" @@ -193,8 +200,8 @@ user-login = "tarcieri" user-name = "Tony Arcieri" [[publisher.crypto-glue]] -version = "0.1.13" -when = "2026-02-13" +version = "0.1.16" +when = "2026-03-20" user-id = 31100 user-login = "Firstyear" user-name = "Firstyear" @@ -351,8 +358,8 @@ user-id = 55123 user-login = "rust-lang-owner" [[publisher.hashbrown]] -version = "0.16.1" -when = "2025-11-20" +version = "0.17.0" +when = "2026-04-09" user-id = 55123 user-login = "rust-lang-owner" @@ -433,8 +440,8 @@ user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.kanidm-hsm-crypto]] -version = "0.3.5" -when = "2025-11-21" +version = "0.3.6" +when = "2026-04-30" user-id = 31100 user-login = "Firstyear" user-name = "Firstyear" @@ -447,22 +454,22 @@ user-login = "Firstyear" user-name = "Firstyear" [[publisher.kanidm_lib_crypto]] -version = "1.9.1" -when = "2026-02-24" +version = "1.10.0" +when = "2026-05-01" user-id = 31100 user-login = "Firstyear" user-name = "Firstyear" [[publisher.kanidm_lib_file_permissions]] -version = "1.9.1" -when = "2026-02-24" +version = "1.10.0" +when = "2026-05-01" user-id = 31100 user-login = "Firstyear" user-name = "Firstyear" [[publisher.kanidm_utils_users]] -version = "1.9.1" -when = "2026-02-24" +version = "1.10.0" +when = "2026-05-01" user-id = 31100 user-login = "Firstyear" user-name = "Firstyear" @@ -475,8 +482,8 @@ user-login = "Firstyear" user-name = "Firstyear" [[publisher.libc]] -version = "0.2.182" -when = "2026-02-13" +version = "0.2.186" +when = "2026-04-23" user-id = 55123 user-login = "rust-lang-owner" @@ -488,8 +495,8 @@ user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.libhimmelblau]] -version = "0.8.18" -when = "2026-04-08" +version = "0.8.19" +when = "2026-05-06" user-id = 247655 user-login = "dmulder" user-name = "David Mulder" @@ -647,6 +654,20 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.proc-macro2]] +version = "1.0.106" +when = "2026-01-21" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.quote]] +version = "1.0.45" +when = "2026-03-03" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + [[publisher.ref-cast]] version = "1.0.24" when = "2025-03-03" @@ -704,8 +725,8 @@ user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.rustls]] -version = "0.23.34" -when = "2025-10-22" +version = "0.23.38" +when = "2026-04-12" user-id = 4556 user-login = "djc" user-name = "Dirkjan Ochtman" @@ -802,8 +823,8 @@ user-login = "tarcieri" user-name = "Tony Arcieri" [[publisher.sketching]] -version = "1.9.1" -when = "2026-02-24" +version = "1.10.0" +when = "2026-05-01" user-id = 31100 user-login = "Firstyear" user-name = "Firstyear" @@ -837,22 +858,15 @@ user-login = "Thomasdezeeuw" user-name = "Thomas de Zeeuw" [[publisher.sshkey-attest]] -version = "0.5.4" -when = "2025-12-11" +version = "0.5.5" +when = "2026-04-30" user-id = 31100 user-login = "Firstyear" user-name = "Firstyear" [[publisher.syn]] -version = "1.0.109" -when = "2023-02-24" -user-id = 3618 -user-login = "dtolnay" -user-name = "David Tolnay" - -[[publisher.syn]] -version = "2.0.101" -when = "2025-04-26" +version = "2.0.117" +when = "2026-02-20" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -893,8 +907,8 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.tokio]] -version = "1.49.0" -when = "2026-01-03" +version = "1.50.0" +when = "2026-03-03" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" @@ -1335,6 +1349,13 @@ user-id = 6743 user-login = "epage" user-name = "Ed Page" +[[publisher.winnow]] +version = "1.0.2" +when = "2026-04-21" +user-id = 6743 +user-login = "epage" +user-name = "Ed Page" + [[publisher.wit-bindgen]] version = "0.51.0" when = "2026-01-12" @@ -1890,12 +1911,6 @@ criteria = "safe-to-deploy" version = "0.2.1" notes = "No unsafe code." -[[audits.bytecode-alliance.audits.peeking_take_while]] -who = "Nick Fitzgerald <fitzgen@gmail.com>" -criteria = "safe-to-deploy" -version = "1.0.0" -notes = "I am the author of this crate." - [[audits.bytecode-alliance.audits.pem-rfc7468]] who = "Chris Fallin <chris@cfallin.org>" criteria = "safe-to-deploy" @@ -1938,6 +1953,18 @@ who = "Chris Fallin <chris@cfallin.org>" criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.32" +[[audits.bytecode-alliance.audits.rand]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.9.2 -> 0.9.4" +notes = "Minor bugfix release" + +[[audits.bytecode-alliance.audits.rand]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.10.1" +notes = "Minor logging-based updated fixing a recent advisory for the crate." + [[audits.bytecode-alliance.audits.semver]] who = "Pat Hickey <phickey@fastly.com>" criteria = "safe-to-deploy" @@ -1983,24 +2010,6 @@ criteria = "safe-to-deploy" delta = "3.5.0 -> 3.6.0" notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal." -[[audits.bytecode-alliance.audits.tempfile]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -delta = "3.16.0 -> 3.19.1" -notes = "Idiom and platform updates, but nothing major and nothing out of line." - -[[audits.bytecode-alliance.audits.tempfile]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -delta = "3.20.0 -> 3.21.0" -notes = "Only minor manifest/CI changes." - -[[audits.bytecode-alliance.audits.tempfile]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -delta = "3.21.0 -> 3.23.0" -notes = "Doc/test/platform updates, nothing out of the ordinary." - [[audits.bytecode-alliance.audits.thread_local]] who = "Pat Hickey <phickey@fastly.com>" criteria = "safe-to-deploy" @@ -2723,169 +2732,6 @@ delta = "0.1.0 -> 0.1.2" notes = "Addition of safe comparison APIs since last audit" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.proc-macro2]] -who = "Lukasz Anforowicz <lukasza@chromium.org>" -criteria = "safe-to-deploy" -version = "1.0.78" -notes = """ -Grepped for "crypt", "cipher", "fs", "net" - there were no hits -(except for a benign "fs" hit in a doc comment) - -Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Adrian Taylor <adetaylor@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.78 -> 1.0.79" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Adrian Taylor <adetaylor@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.79 -> 1.0.80" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Dustin J. Mitchell <djmitche@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.80 -> 1.0.81" -notes = "Comment changes only" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "danakj <danakj@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.81 -> 1.0.82" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Dustin J. Mitchell <djmitche@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.82 -> 1.0.83" -notes = "Substantive change is replacing String with Box<str>, saving memory." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Lukasz Anforowicz <lukasza@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.83 -> 1.0.84" -notes = "Only doc comment changes in `src/lib.rs`." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "danakj@chromium.org" -criteria = "safe-to-deploy" -delta = "1.0.84 -> 1.0.85" -notes = "Test-only changes." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Lukasz Anforowicz <lukasza@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.85 -> 1.0.86" -notes = """ -Comment-only changes in `build.rs`. -Reordering of `Cargo.toml` entries. -Just bumping up the version number in `lib.rs`. -Config-related changes in `test_size.rs`. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "danakj <danakj@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.86 -> 1.0.87" -notes = "No new unsafe interactions." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Liza Burakova <liza@chromium.org" -criteria = "safe-to-deploy" -delta = "1.0.87 -> 1.0.89" -notes = """ -Biggest change is adding error handling in build.rs. -Some config related changes in wrapper.rs. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Lukasz Anforowicz <lukasza@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.89 -> 1.0.92" -notes = """ -I looked at the delta and the previous discussion at -https://chromium-review.googlesource.com/c/chromium/src/+/5385745/3#message-a8e2813129fa3779dab15acede408ee26d67b7f3 -and the changes look okay to me (including the `unsafe fn from_str_unchecked` -changes in `wrapper.rs`). -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Lukasz Anforowicz <lukasza@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.92 -> 1.0.93" -notes = "No `unsafe`-related changes." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro2]] -who = "Daniel Cheng <dcheng@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.93 -> 1.0.94" -notes = "Minor doc changes and clippy lint adjustments+fixes." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.quote]] -who = "Lukasz Anforowicz <lukasza@chromium.org>" -criteria = "safe-to-deploy" -version = "1.0.35" -notes = """ -Grepped for "unsafe", "crypt", "cipher", "fs", "net" - there were no hits -(except for benign "net" hit in tests and "fs" hit in README.md) -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.quote]] -who = "Adrian Taylor <adetaylor@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.35 -> 1.0.36" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.quote]] -who = "Lukasz Anforowicz <lukasza@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.36 -> 1.0.37" -notes = """ -The delta just 1) inlines/expands `impl ToTokens` that used to be handled via -`primitive!` macro and 2) adds `impl ToTokens` for `CStr` and `CString`. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.quote]] -who = "Dustin J. Mitchell <djmitche@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.37 -> 1.0.38" -notes = "Still no unsafe" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.quote]] -who = "Daniel Cheng <dcheng@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.38 -> 1.0.39" -notes = "Only minor changes for clippy lints and documentation." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.quote]] -who = "Lukasz Anforowicz <lukasza@chromium.org>" -criteria = "safe-to-deploy" -delta = "1.0.39 -> 1.0.40" -notes = """ -The delta is just a simplification of how `tokens.extend(...)` call is made. -Still no `unsafe` anywhere. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.rand]] who = "Lukasz Anforowicz <lukasza@chromium.org>" criteria = "safe-to-deploy" @@ -3213,6 +3059,211 @@ See https://crrev.com/c/6323349 for more audit notes. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.himmelblau.audits.bitfield]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.13.2 -> 0.17.0" + +[[audits.himmelblau.audits.cc]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "1.2.56 -> 1.2.59" + +[[audits.himmelblau.audits.cc]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "1.2.59 -> 1.2.60" + +[[audits.himmelblau.audits.cc]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "1.2.60 -> 1.2.61" + +[[audits.himmelblau.audits.darling]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.21.3 -> 0.23.0" + +[[audits.himmelblau.audits.darling_core]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.21.3 -> 0.23.0" + +[[audits.himmelblau.audits.darling_macro]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.21.3 -> 0.23.0" + +[[audits.himmelblau.audits.dbus]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.9.10 -> 0.9.11" + +[[audits.himmelblau.audits.lru]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.16.3 -> 0.16.4" + +[[audits.himmelblau.audits.lru]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.16.4 -> 0.18.0" + +[[audits.himmelblau.audits.num_enum]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.7.5 -> 0.7.6" + +[[audits.himmelblau.audits.num_enum_derive]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.7.5 -> 0.7.6" + +[[audits.himmelblau.audits.openssl]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.10.75 -> 0.10.76" + +[[audits.himmelblau.audits.openssl]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.10.76 -> 0.10.77" + +[[audits.himmelblau.audits.openssl]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.10.77 -> 0.10.79" + +[[audits.himmelblau.audits.openssl-sys]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.9.111 -> 0.9.112" + +[[audits.himmelblau.audits.openssl-sys]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.9.112 -> 0.9.113" + +[[audits.himmelblau.audits.openssl-sys]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.9.113 -> 0.9.115" + +[[audits.himmelblau.audits.opentelemetry-otlp]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.31.0 -> 0.31.1" + +[[audits.himmelblau.audits.pkg-config]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.3.32 -> 0.3.33" + +[[audits.himmelblau.audits.rpassword]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "7.4.0 -> 7.5.2" + +[[audits.himmelblau.audits.rustc-hash]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "2.1.1 -> 2.1.2" + +[[audits.himmelblau.audits.rustls]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.23.38 -> 0.23.40" + +[[audits.himmelblau.audits.sd-notify]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.4.5 -> 0.5.0" + +[[audits.himmelblau.audits.semver]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "1.0.27 -> 1.0.28" + +[[audits.himmelblau.audits.serde_with]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "3.17.0 -> 3.18.0" + +[[audits.himmelblau.audits.serde_with]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "3.18.0 -> 3.19.0" + +[[audits.himmelblau.audits.serde_with_macros]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "3.17.0 -> 3.18.0" + +[[audits.himmelblau.audits.serde_with_macros]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "3.18.0 -> 3.19.0" + +[[audits.himmelblau.audits.totp-rs]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "5.7.0 -> 5.7.1" + +[[audits.himmelblau.audits.tracing-subscriber]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.3.22 -> 0.3.23" + +[[audits.himmelblau.audits.tss-esapi]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "8.0.0-alpha -> 8.0.0-alpha.2" + +[[audits.himmelblau.audits.tss-esapi-sys]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "0.5.0 -> 0.6.0" + +[[audits.himmelblau.audits.uuid]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "1.21.0 -> 1.23.0" + +[[audits.himmelblau.audits.uuid]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "1.23.0 -> 1.23.1" + +[[audits.himmelblau.audits.zbus]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "5.14.0 -> 5.15.0" + +[[audits.himmelblau.audits.zbus_macros]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "5.14.0 -> 5.15.0" + +[[audits.himmelblau.audits.zbus_names]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "4.3.1 -> 4.3.2" + +[[audits.himmelblau.audits.zvariant]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "5.10.0 -> 5.11.0" + +[[audits.himmelblau.audits.zvariant_derive]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "5.10.0 -> 5.11.0" + +[[audits.himmelblau.audits.zvariant_utils]] +who = "David Mulder <dmulder@samba.org>" +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.3.1" + [[audits.isrg.audits.base64]] who = "Tim Geoghegan <timg@letsencrypt.org>" criteria = "safe-to-deploy" @@ -3233,6 +3284,16 @@ who = "David Cook <dcook@divviup.org>" criteria = "safe-to-deploy" version = "0.9.0" +[[audits.isrg.audits.chacha20]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +version = "0.10.0" + +[[audits.isrg.audits.cpufeatures]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +delta = "0.2.17 -> 0.3.0" + [[audits.isrg.audits.fiat-crypto]] who = "David Cook <dcook@divviup.org>" criteria = "safe-to-deploy" @@ -3379,6 +3440,11 @@ who = "Tim Geoghegan <timg@divviup.org>" criteria = "safe-to-deploy" delta = "0.9.1 -> 0.9.2" +[[audits.isrg.audits.rand]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +delta = "0.9.2 -> 0.10.0" + [[audits.isrg.audits.rand_chacha]] who = "David Cook <dcook@divviup.org>" criteria = "safe-to-deploy" @@ -4031,23 +4097,6 @@ criteria = "safe-to-deploy" version = "0.4.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.home]] -who = "Nika Layzell <nika@thelayzells.com>" -criteria = "safe-to-deploy" -version = "0.5.3" -notes = """ -Crate with straightforward code for determining the user's HOME directory. Only -unsafe code is used to invoke the Windows SHGetFolderPathW API to get the -profile directory when the USERPROFILE environment variable is unavailable. -""" -aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" - -[[audits.mozilla.audits.home]] -who = "Nika Layzell <nika@thelayzells.com>" -criteria = "safe-to-deploy" -delta = "0.5.3 -> 0.5.11" -aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" - [[audits.mozilla.audits.iana-time-zone]] who = "Mark Hammond <mhammond@skippinet.com.au>" criteria = "safe-to-deploy" @@ -4225,6 +4274,18 @@ version = "0.3.3" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.num-derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.3 -> 0.4.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.once_cell]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -4262,13 +4323,6 @@ criteria = "safe-to-deploy" delta = "1.20.3 -> 1.21.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.peeking_take_while]] -who = "Bobby Holley <bobbyholley@gmail.com>" -criteria = "safe-to-deploy" -delta = "1.0.0 -> 0.1.2" -notes = "Small refactor of some simple iterator logic, no unsafe code or capabilities." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu <valentin.gosu@gmail.com>" criteria = "safe-to-deploy" @@ -4591,10 +4645,10 @@ notes = "Big change, but nothing unsafe and lots of it is documentation and conv aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.tempfile]] -who = "Nika Layzell <nika@thelayzells.com>" +who = "Jim Blandy <jimb@red-bean.com>" criteria = "safe-to-deploy" -delta = "3.19.1 -> 3.20.0" -aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" +delta = "3.16.0 -> 3.27.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-core]] who = "Kershaw Chang <kershaw@mozilla.com>" @@ -5104,16 +5158,6 @@ criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.proc-macro2]] -who = "Jack Grigg <jack@electriccoin.co>" -criteria = "safe-to-deploy" -delta = "1.0.94 -> 1.0.95" -notes = """ -Refactors code handling paths to source files, but AFAICT none of the affected -code involves filesystem access. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.prost]] who = "Jack Grigg <jack@electriccoin.co>" criteria = "safe-to-deploy" @@ -5320,23 +5364,6 @@ Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.which]] -who = "Jack Grigg <jack@z.cash>" -criteria = "safe-to-deploy" -delta = "4.3.0 -> 4.4.0" -notes = "New APIs are remixes of existing code." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.which]] -who = "Jack Grigg <jack@electriccoin.co>" -criteria = "safe-to-deploy" -delta = "4.4.0 -> 4.4.2" -notes = """ -Crate now has `#![forbid(unsafe_code)]`, replacing its last `unsafe` block with a -dependency on the `rustix` crate. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.zeroize]] who = "Jack Grigg <jack@electriccoin.co>" criteria = "safe-to-deploy"
a05e5258efe6Version 3.1.5
https://github.com/himmelblau-idm/himmelblauDavid MulderMay 7, 2026Fixed in 3.1.5via llm-release-walk
2 files changed · +17 −17
Cargo.lock+16 −16 modified@@ -4,7 +4,7 @@ version = 3 [[package]] name = "aad-tool" -version = "3.1.4" +version = "3.1.5" dependencies = [ "anyhow", "broker-client", @@ -611,7 +611,7 @@ dependencies = [ [[package]] name = "broker" -version = "3.1.4" +version = "3.1.5" dependencies = [ "dbus", "himmelblau_unix_common", @@ -622,7 +622,7 @@ dependencies = [ [[package]] name = "broker-client" -version = "3.1.4" +version = "3.1.5" dependencies = [ "serde_json", "zbus", @@ -2050,7 +2050,7 @@ dependencies = [ [[package]] name = "himmelblau-fuzz" -version = "3.1.4" +version = "3.1.5" dependencies = [ "arbitrary", "himmelblau_unix_common", @@ -2062,7 +2062,7 @@ dependencies = [ [[package]] name = "himmelblau_policies" -version = "3.1.4" +version = "3.1.5" dependencies = [ "anyhow", "async-trait", @@ -2084,7 +2084,7 @@ dependencies = [ [[package]] name = "himmelblau_unix_common" -version = "3.1.4" +version = "3.1.5" dependencies = [ "anyhow", "async-trait", @@ -2133,7 +2133,7 @@ dependencies = [ [[package]] name = "himmelblaud" -version = "3.1.4" +version = "3.1.5" dependencies = [ "async-trait", "base64 0.22.1", @@ -2522,7 +2522,7 @@ dependencies = [ [[package]] name = "idmap" -version = "3.1.4" +version = "3.1.5" dependencies = [ "bindgen", "cc", @@ -3264,7 +3264,7 @@ checksum = "5e0826a989adedc2a244799e823aece04662b66609d96af8dff7ac6df9a8925d" [[package]] name = "nss_himmelblau" -version = "3.1.4" +version = "3.1.5" dependencies = [ "himmelblau_unix_common", "lazy_static", @@ -3370,7 +3370,7 @@ dependencies = [ [[package]] name = "o365" -version = "3.1.4" +version = "3.1.5" dependencies = [ "anyhow", "reqwest 0.12.24", @@ -3657,7 +3657,7 @@ dependencies = [ [[package]] name = "pam_himmelblau" -version = "3.1.4" +version = "3.1.5" dependencies = [ "himmelblau_unix_common", "libc", @@ -4106,7 +4106,7 @@ dependencies = [ [[package]] name = "qr-greeter" -version = "3.1.4" +version = "3.1.5" [[package]] name = "qrcodegen" @@ -4809,7 +4809,7 @@ dependencies = [ [[package]] name = "selinux" -version = "3.1.4" +version = "3.1.5" [[package]] name = "semver" @@ -5170,7 +5170,7 @@ dependencies = [ [[package]] name = "sshd-config" -version = "3.1.4" +version = "3.1.5" [[package]] name = "sshkey-attest" @@ -5181,7 +5181,7 @@ dependencies = [ [[package]] name = "sso" -version = "3.1.4" +version = "3.1.5" dependencies = [ "broker-client", "clap", @@ -5193,7 +5193,7 @@ dependencies = [ [[package]] name = "sso-policies" -version = "3.1.4" +version = "3.1.5" [[package]] name = "stable_deref_trait"
Cargo.toml+1 −1 modified@@ -34,7 +34,7 @@ kanidm_build_profiles = { path = "src/kanidm_build_profiles" } picky-krb = { path = "src/picky-krb" } [workspace.package] -version = "3.1.4" +version = "3.1.5" authors = [ "David Mulder <dmulder@suse.com>" ]
62e796e70684Update libhimmelblau to latest version
https://github.com/himmelblau-idm/himmelblauDavid MulderMay 7, 2026Fixed in 3.1.5via llm-release-walk
1 file changed · +2 −2
Cargo.lock+2 −2 modified@@ -2874,9 +2874,9 @@ dependencies = [ [[package]] name = "libhimmelblau" -version = "0.8.18" +version = "0.8.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fbcc01a40eef77694c1a063b463e581162c92dca5732864d809d2b19c13cd1e" +checksum = "4331d6c174da030b21bb2bf7dde3ea49d9cea3a08cd99007a008f65a64059ae8" dependencies = [ "base64 0.22.1", "cbindgen",
e9bc0b39395bfix(auth): apply request_timeout to attempt_online() HTTP probes
https://github.com/himmelblau-idm/himmelblauBash BandicootMay 6, 2026Fixed in 3.1.5via llm-release-walk
3 files changed · +47 −3
src/common/src/idprovider/common.rs+17 −0 modified@@ -29,6 +29,23 @@ use tokio::sync::RwLock; /// `exchange_prt_for_prt` before using it for access-token acquisition. pub const PRT_REFRESH_AGE: Duration = Duration::from_secs(4 * 3600); +/// Build a `reqwest::Client` for `attempt_online()` probes. +/// +/// Uses `request_timeout` for the total request budget and a derived +/// connect timeout of `min(request_timeout / 2, 3s)` so we fail fast +/// when the network is unreachable. Mirrors the pattern in libhimmelblau +/// `auth.rs`. +pub(crate) fn build_online_probe_client( + request_timeout_secs: u64, +) -> Result<reqwest::Client, reqwest::Error> { + let request_timeout = Duration::from_secs(request_timeout_secs); + let connect_timeout = std::cmp::min(request_timeout / 2, Duration::from_secs(3)); + reqwest::Client::builder() + .connect_timeout(connect_timeout) + .timeout(request_timeout) + .build() +} + pub fn flip_displayname_comma(name: &str) -> String { if let Some((left, right)) = name.split_once(',') { format!("{} {}", right.trim(), left.trim())
src/common/src/idprovider/himmelblau.rs+16 −1 modified@@ -28,6 +28,7 @@ use crate::constants::EDGE_BROWSER_CLIENT_ID; use crate::constants::ID_MAP_CACHE; use crate::db::KeyStoreTxn; use crate::idmap_cache::StaticIdCache; +use crate::idprovider::common::build_online_probe_client; use crate::idprovider::common::flip_displayname_comma; use crate::idprovider::common::KeyType; use crate::idprovider::common::RefreshCacheEntry; @@ -4109,7 +4110,21 @@ impl HimmelblauProvider { .authority_host() .await .unwrap_or(self.config.lock().await.get_authority_host(&self.domain)); - match reqwest::get(format!("https://{}", authority_host)).await { + let request_timeout = self.config.lock().await.get_request_timeout(); + let client = match build_online_probe_client(request_timeout) { + Ok(c) => c, + Err(e) => { + error!(?e, "Failed to build HTTP client for online check"); + let mut state = self.state.lock().await; + *state = CacheState::OfflineNextCheck(now + OFFLINE_NEXT_CHECK); + return false; + } + }; + match client + .get(format!("https://{}", authority_host)) + .send() + .await + { Ok(resp) => { if resp.status().is_success() { debug!("provider is now online");
src/common/src/idprovider/openidconnect.rs+14 −2 modified@@ -20,6 +20,7 @@ use crate::config::HimmelblauConfig; use crate::constants::ID_MAP_CACHE; use crate::db::KeyStoreTxn; use crate::idmap_cache::StaticIdCache; +use crate::idprovider::common::build_online_probe_client; use crate::idprovider::common::flip_displayname_comma; use crate::idprovider::common::KeyType; use crate::idprovider::common::TotpEnrollmentRecord; @@ -864,8 +865,19 @@ impl OidcProvider { } }; + let request_timeout = self.config.lock().await.get_request_timeout(); + let client = match build_online_probe_client(request_timeout) { + Ok(c) => c, + Err(e) => { + error!(?e, "Failed to build HTTP client for online check"); + let mut state = self.state.lock().await; + *state = CacheState::OfflineNextCheck(now + OFFLINE_NEXT_CHECK); + return false; + } + }; + // First try the authorization endpoint - match reqwest::get(&authorization_endpoint).await { + match client.get(&authorization_endpoint).send().await { Ok(resp) => { if resp.status().is_success() { debug!("provider is now online"); @@ -891,7 +903,7 @@ impl OidcProvider { } // Fallback: try the .well-known/openid-configuration URL - match reqwest::get(&openid_configuration_url).await { + match client.get(&openid_configuration_url).send().await { Ok(resp) => { if resp.status().is_success() { debug!("provider is now online (via openid-configuration)");
4e2201d67776Correct the description of connection_timeout config
https://github.com/himmelblau-idm/himmelblauDavid MulderMay 4, 2026Fixed in 3.1.5via llm-release-walk
2 files changed · +13 −13
docs-xml/himmelblauconf/base/connection_timeout.xml+1 −1 modified@@ -7,7 +7,7 @@ domain_specific="false" order="42"> <description> -The timeout in seconds for connections to the authentication server. +The timeout in seconds for local Himmelblau daemon socket operations. This setting controls how long clients wait when communicating with local Himmelblau services; HTTP requests to authentication servers are controlled by request_timeout. </description> <default>30</default> <default_const>DEFAULT_CONN_TIMEOUT</default_const>
man/man5/himmelblau.conf.5+12 −12 modified@@ -722,7 +722,7 @@ Example: idmap_range = 10000000-10999999 .TP .B connection_timeout .RE -The timeout in seconds for connections to the authentication server. +The timeout in seconds for local Himmelblau daemon socket operations. This setting controls how long clients wait when communicating with local Himmelblau services; HTTP requests to authentication servers are controlled by request_timeout. .P Default: 30 @@ -756,17 +756,6 @@ Default: 300 .P Example: cache_timeout = 10 -.TP -.B request_timeout -.RE -The timeout in seconds for HTTP requests to authentication servers. This includes DNS resolution, connection attempts across all resolved IP addresses, TLS handshake, and HTTP request/response. Increase this value if authentication fails in environments where DNS returns many IP addresses for the same hostname (e.g., 7+ addresses). Default is 10 seconds to accommodate Happy Eyeballs connection attempts across multiple addresses. - -.P -Default: 10 - -.P -Example: request_timeout = 15 - .TP .B use_etc_skel .RE @@ -804,6 +793,17 @@ Default: join .P Example: join_type = register +.TP +.B request_timeout +.RE +The timeout in seconds for HTTP requests to authentication servers. This includes DNS resolution, connection attempts across all resolved IP addresses, TLS handshake, and HTTP request/response. Increase this value if authentication fails in environments where DNS returns many IP addresses for the same hostname (e.g., 7+ addresses). Default is 10 seconds to accommodate Happy Eyeballs connection attempts across multiple addresses. + +.P +Default: 10 + +.P +Example: request_timeout = 15 + .TP .B user_map_file .RE
349e5b829dfadeps(rust): bump the all-cargo-updates group across 1 directory with 31 updates
https://github.com/himmelblau-idm/himmelblaudependabot[bot]May 4, 2026Fixed in 3.1.5via llm-release-walk
15 files changed · +343 −377
Cargo.lock+304 −339 modified@@ -51,7 +51,7 @@ checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0" dependencies = [ "cfg-if", "cipher", - "cpufeatures", + "cpufeatures 0.2.17", ] [[package]] @@ -103,9 +103,9 @@ dependencies = [ [[package]] name = "anstream" -version = "0.6.18" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b" +checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d" dependencies = [ "anstyle", "anstyle-parse", @@ -118,15 +118,15 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.10" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" +checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000" [[package]] name = "anstyle-parse" -version = "0.2.6" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9" +checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e" dependencies = [ "utf8parse", ] @@ -174,7 +174,7 @@ checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072" dependencies = [ "base64ct", "blake2", - "cpufeatures", + "cpufeatures 0.2.17", "password-hash", ] @@ -285,7 +285,7 @@ checksum = "3b43422f69d8ff38f95f1b2bb76517c91589a924d1559a0e935d7c8ce0274c11" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -320,7 +320,7 @@ checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -459,45 +459,33 @@ checksum = "89e25b6adfb930f02d1981565a6e5d9c547ac15a96606256d3b59040e5cd4ca3" [[package]] name = "base64urlsafedata" -version = "0.5.4" +version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42f7f6be94fa637132933fd0a68b9140bcb60e3d46164cb68e82a2bb8d102b3a" +checksum = "b08e33815c87d8cadcddb1e74ac307368a3751fbe40c961538afa21a1899f21c" dependencies = [ "base64 0.21.7", "pastey 0.1.1", "serde", ] [[package]] -name = "binary-stream" -version = "3.4.0" +name = "base64urlsafedata" +version = "0.6.1-dev" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4ef03ef225ea9a0b680a5926a58cb45d8eb56abf23d8a8b5c5dbc61235e2dac" +checksum = "9283b2d58cdc7bb808295ff4cd7063701b13818a2680e1584ba61e948ab83229" dependencies = [ - "thiserror 1.0.69", + "base64 0.21.7", + "pastey 0.1.1", + "serde", ] [[package]] -name = "bindgen" -version = "0.66.1" +name = "binary-stream" +version = "3.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2b84e06fc203107bfbad243f4aba2af864eb7db3b1cf46ea0a023b0b433d2a7" +checksum = "f4ef03ef225ea9a0b680a5926a58cb45d8eb56abf23d8a8b5c5dbc61235e2dac" dependencies = [ - "bitflags 2.9.1", - "cexpr", - "clang-sys", - "lazy_static", - "lazycell", - "log", - "peeking_take_while", - "prettyplease", - "proc-macro2", - "quote", - "regex", - "rustc-hash 1.1.0", - "shlex", - "syn 2.0.101", - "which", + "thiserror 1.0.69", ] [[package]] @@ -515,9 +503,9 @@ dependencies = [ "proc-macro2", "quote", "regex", - "rustc-hash 2.1.1", + "rustc-hash", "shlex", - "syn 2.0.101", + "syn", ] [[package]] @@ -541,14 +529,14 @@ dependencies = [ "owo-colors", "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] name = "bitfield" -version = "0.13.2" +version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719" +checksum = "f798d2d157e547aa99aab0967df39edd0b70307312b6f8bd2848e6abe40896e0" [[package]] name = "bitflags" @@ -569,7 +557,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e6cbbb8f56245b5a479b30a62cdc86d26e2f35c2b9f594bc4671654b03851380" dependencies = [ "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -592,9 +580,9 @@ dependencies = [ [[package]] name = "block-buffer" -version = "0.12.0" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdd35008169921d80bc60d3d0ab416eecb028c4cd653352907921d95084790be" +checksum = "96eb4cdd6cf1b31d671e9efe75c5d1ec614776856cefbe109ca373554a6d514f" dependencies = [ "hybrid-array", ] @@ -703,16 +691,16 @@ dependencies = [ "quote", "serde", "serde_json", - "syn 2.0.101", + "syn", "tempfile", "toml", ] [[package]] name = "cc" -version = "1.2.56" +version = "1.2.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2" +checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d" dependencies = [ "find-msvc-tools", "jobserver", @@ -747,6 +735,17 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" +[[package]] +name = "chacha20" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601" +dependencies = [ + "cfg-if", + "cpufeatures 0.3.0", + "rand_core 0.10.0", +] + [[package]] name = "chrono" version = "0.4.44" @@ -784,19 +783,19 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.60" +version = "4.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a" +checksum = "1ddb117e43bbf7dacf0a4190fef4d345b9bad68dfc649cb349e7d17d28428e51" dependencies = [ "clap_builder", "clap_derive", ] [[package]] name = "clap_builder" -version = "4.5.60" +version = "4.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876" +checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f" dependencies = [ "anstream", "anstyle", @@ -806,23 +805,23 @@ dependencies = [ [[package]] name = "clap_complete" -version = "4.5.66" +version = "4.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c757a3b7e39161a4e56f9365141ada2a6c915a8622c408ab6bb4b5d047371031" +checksum = "660c0520455b1013b9bcb0393d5f643d7e4454fb69c915b8d6d2aa0e9a45acc3" dependencies = [ "clap", ] [[package]] name = "clap_derive" -version = "4.5.55" +version = "4.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a92793da1a46a5f2a02a6f4c46c6496b28c43638adea8306fcb0caa1634f24e5" +checksum = "f2ce8604710f6733aa641a2b3731eaa1e8b3d9973d5e3565da11800813f997a9" dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -840,12 +839,6 @@ dependencies = [ "cc", ] -[[package]] -name = "cmov" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de0758edba32d61d1fd9f4d69491b47604b91ee2f7e6b33de7e54ca4ebe55dc3" - [[package]] name = "colorchoice" version = "1.0.3" @@ -869,7 +862,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "23812e87894027686e22bc5b0940522315b1f0ba9347383cc41016ec0caf6c35" dependencies = [ "base64 0.21.7", - "base64urlsafedata", + "base64urlsafedata 0.5.5", "crypto-glue", "hex", "kanidm-hsm-crypto", @@ -1017,6 +1010,15 @@ dependencies = [ "libc", ] +[[package]] +name = "cpufeatures" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201" +dependencies = [ + "libc", +] + [[package]] name = "crc32fast" version = "1.4.2" @@ -1082,21 +1084,22 @@ dependencies = [ [[package]] name = "crypto-glue" -version = "0.1.13" +version = "0.1.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b7c276323bf5cd771d8eed5a8eb7011acf74450531d01efb7f8c085d4eb2c388" +checksum = "949ed8139cfd0242a2d119fc4c3bd206f7f17cd8cc99eb469eff8cdf90f7a7e8" dependencies = [ "aes", "aes-gcm", "aes-kw", "argon2", + "base64 0.22.1", "cbc", "cipher", "const-oid 0.9.6", "crypto-common 0.1.6", "crypto-common 0.2.1", "der 0.7.10", - "digest 0.11.1", + "digest 0.11.0-rc.12", "ecdsa", "elliptic-curve", "generic-array", @@ -1109,11 +1112,12 @@ dependencies = [ "p256", "p384", "p521", + "pbkdf2", "pkcs8", "rand 0.8.5", "rsa", - "rustls", "sec1", + "serde", "sha1", "sha2 0.10.9", "sha2 0.11.0-rc.5", @@ -1145,7 +1149,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "13b588ba4ac1a99f7f2964d24b3d896ddc6bf847ee3855dbd4366f058cfcd331" dependencies = [ "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -1178,23 +1182,14 @@ dependencies = [ "cipher", ] -[[package]] -name = "ctutils" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1005a6d4446f5120ef475ad3d2af2b30c49c2c9c6904258e3bb30219bebed5e4" -dependencies = [ - "cmov", -] - [[package]] name = "curve25519-dalek" version = "4.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be" dependencies = [ "cfg-if", - "cpufeatures", + "cpufeatures 0.2.17", "curve25519-dalek-derive", "digest 0.10.7", "fiat-crypto", @@ -1211,55 +1206,54 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] name = "darling" -version = "0.21.3" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9cdf337090841a411e2a7f3deb9187445851f91b309c0c0a29e05f74a00a48c0" +checksum = "25ae13da2f202d56bd7f91c25fba009e7717a1e4a1cc98a76d844b65ae912e9d" dependencies = [ "darling_core", "darling_macro", ] [[package]] name = "darling_core" -version = "0.21.3" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1247195ecd7e3c85f83c8d2a366e4210d588e802133e1e355180a9870b517ea4" +checksum = "9865a50f7c335f53564bb694ef660825eb8610e0a53d3e11bf1b0d3df31e03b0" dependencies = [ - "fnv", "ident_case", "proc-macro2", "quote", "strsim", - "syn 2.0.101", + "syn", ] [[package]] name = "darling_macro" -version = "0.21.3" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81" +checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d" dependencies = [ "darling_core", "quote", - "syn 2.0.101", + "syn", ] [[package]] name = "dbus" -version = "0.9.10" +version = "0.9.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21b3aa68d7e7abee336255bd7248ea965cc393f3e70411135a6f6a4b651345d4" +checksum = "b942602992bb7acfd1f51c49811c58a610ef9181b6e66f3e519d79b540a3bf73" dependencies = [ "futures-channel", "futures-util", "libc", "libdbus-sys", - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -1314,7 +1308,7 @@ checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -1325,7 +1319,7 @@ checksum = "59600e2c2d636fde9b65e99cc6445ac770c63d3628195ff39932b8d6d7409903" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -1346,7 +1340,7 @@ checksum = "1e567bd82dcff979e4b03460c307b3cdc9e96fde3d73bed1496d2bc75d9dd62a" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -1366,7 +1360,7 @@ checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -1393,14 +1387,14 @@ dependencies = [ [[package]] name = "digest" -version = "0.11.1" +version = "0.11.0-rc.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "285743a676ccb6b3e116bc14cc69319b957867930ae9c4822f8e0f54509d7243" +checksum = "d4b37eb2004a3548553a44cc1e688aac70f0345b896c9d822b4a0e520bc9183b" dependencies = [ - "block-buffer 0.12.0", + "block-buffer 0.11.0", "const-oid 0.10.1", "crypto-common 0.2.1", - "ctutils", + "subtle", ] [[package]] @@ -1411,7 +1405,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -1554,7 +1548,7 @@ checksum = "fc4caf64a58d7a6d65ab00639b046ff54399a39f5f2554728895ace4b297cd79" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -1816,7 +1810,7 @@ checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -1852,7 +1846,7 @@ dependencies = [ name = "fxhash" version = "0.2.1" dependencies = [ - "rustc-hash 2.1.1", + "rustc-hash", ] [[package]] @@ -1922,6 +1916,7 @@ dependencies = [ "cfg-if", "libc", "r-efi", + "rand_core 0.10.0", "wasip2", "wasip3", ] @@ -1999,9 +1994,9 @@ dependencies = [ [[package]] name = "hashbrown" -version = "0.16.1" +version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100" +checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51" dependencies = [ "allocator-api2", "equivalent", @@ -2101,7 +2096,7 @@ dependencies = [ "csv", "der 0.8.0", "futures", - "hashbrown 0.16.1", + "hashbrown 0.17.0", "hostname", "idmap", "kanidm-hsm-crypto", @@ -2132,6 +2127,7 @@ dependencies = [ "tracing", "urlencoding", "uuid", + "x509-cert", "zeroize", ] @@ -2196,16 +2192,7 @@ version = "0.13.0-rc.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ef451d73f36d8a3f93ad32c332ea01146c9650e1ec821a9b0e46c01277d544f8" dependencies = [ - "digest 0.11.1", -] - -[[package]] -name = "home" -version = "0.5.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf" -dependencies = [ - "windows-sys 0.59.0", + "digest 0.11.0-rc.12", ] [[package]] @@ -2537,7 +2524,7 @@ dependencies = [ name = "idmap" version = "3.1.4" dependencies = [ - "bindgen 0.72.1", + "bindgen", "cc", "libc", "tracing", @@ -2710,9 +2697,9 @@ dependencies = [ [[package]] name = "kanidm-hsm-crypto" -version = "0.3.5" +version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61cafdd63d3c246fd7a7318de64e35d2c744ebb2c5a51a407a2985ad6fe29908" +checksum = "bfb9c43ea17ed7eafbb4af596fa366aad5d1dcfb5e0b5a0c8603797d37ee43f9" dependencies = [ "crypto-glue", "serde", @@ -2727,44 +2714,38 @@ version = "1.8.1" [[package]] name = "kanidm_lib_crypto" -version = "1.9.1" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b400ac884c03cef8672d9cd1418b3a8a2da9a017d6bcbd5f1e78663889ee6f11" +checksum = "77368cca784396ee4aa782a01d8502560b11260d615f19d6830476b8f9058bf4" dependencies = [ - "argon2", "base64 0.22.1", - "base64urlsafedata", + "base64urlsafedata 0.6.1-dev", "crypto-glue", "hex", "kanidm-hsm-crypto", "md-5", "md4", - "openssl", - "openssl-sys", - "rand 0.9.2", - "rustls", + "rand 0.10.1", "serde", "sha-crypt", "sha2 0.11.0-rc.5", "tracing", - "uuid", - "x509-cert", ] [[package]] name = "kanidm_lib_file_permissions" -version = "1.9.1" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd152c274b2d02257572970b8e081e754d0f589becfe33e1e8c96896dd4d484c" +checksum = "90b5ead6b73b105127d3546ed40e69d1d7383c3a797b587c1f3d6b9b706c5687" dependencies = [ "kanidm_utils_users", ] [[package]] name = "kanidm_utils_users" -version = "1.9.1" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3325b6edbb6e8d676f7eb60c417d24ca8e7e6aa470bc5fa0e90fe60df863aa1b" +checksum = "ef838c603e659e6e6889d95fac2813eda26394cbe8b2b7217554fd75a1ae4278" dependencies = [ "libc", ] @@ -2775,7 +2756,7 @@ version = "0.1.0-rc.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "90ac93c9768b8d587407881c98b0c3a5d3e3049daa73408ebe5bfb1ab1cb9c84" dependencies = [ - "digest 0.11.1", + "digest 0.11.0-rc.12", ] [[package]] @@ -2833,12 +2814,6 @@ dependencies = [ "spin", ] -[[package]] -name = "lazycell" -version = "1.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" - [[package]] name = "lber" version = "0.4.2" @@ -2874,9 +2849,9 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2" [[package]] name = "libc" -version = "0.2.182" +version = "0.2.186" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" +checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66" [[package]] name = "libdbus-sys" @@ -2915,8 +2890,8 @@ dependencies = [ "os-release", "paste", "percent-encoding", - "picky-asn1 0.10.1", - "picky-asn1-der 0.5.4", + "picky-asn1", + "picky-asn1-der", "picky-krb", "regex", "reqwest 0.13.1", @@ -2961,7 +2936,7 @@ dependencies = [ "md5", "num_enum", "pbkdf2", - "rand 0.9.2", + "rand 0.9.4", "serde", "serde-binary", "sha1", @@ -3082,11 +3057,11 @@ checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94" [[package]] name = "lru" -version = "0.16.3" +version = "0.18.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1dc47f592c06f33f8e3aea9591776ec7c9f9e4124778ff8a3c3b87159f7e593" +checksum = "8a860605968fce16869fd239cf4237a82f3ac470723415db603b0e8b6c8d4fb9" dependencies = [ - "hashbrown 0.16.1", + "hashbrown 0.17.0", ] [[package]] @@ -3332,13 +3307,13 @@ checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050" [[package]] name = "num-derive" -version = "0.3.3" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "876a53fff98e03a936a674b29568b0e605f06b29372c2489ff4de23f1949743d" +checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" dependencies = [ "proc-macro2", "quote", - "syn 1.0.109", + "syn", ] [[package]] @@ -3373,24 +3348,24 @@ dependencies = [ [[package]] name = "num_enum" -version = "0.7.5" +version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1207a7e20ad57b847bbddc6776b968420d38292bbfe2089accff5e19e82454c" +checksum = "5d0bca838442ec211fa11de3a8b0e0e8f3a4522575b5c4c06ed722e005036f26" dependencies = [ "num_enum_derive", "rustversion", ] [[package]] name = "num_enum_derive" -version = "0.7.5" +version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff32365de1b6743cb203b710788263c44a03de03802daf96092f2da4fe6ba4d7" +checksum = "680998035259dcfcafe653688bf2aa6d3e2dc05e98be6ab46afb089dc84f1df8" dependencies = [ "proc-macro-crate", "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -3481,15 +3456,14 @@ dependencies = [ [[package]] name = "openssl" -version = "0.10.75" +version = "0.10.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328" +checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542" dependencies = [ "bitflags 2.9.1", "cfg-if", "foreign-types", "libc", - "once_cell", "openssl-macros", "openssl-sys", ] @@ -3502,7 +3476,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -3519,9 +3493,9 @@ checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" [[package]] name = "openssl-sys" -version = "0.9.111" +version = "0.9.115" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321" +checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781" dependencies = [ "cc", "libc", @@ -3557,9 +3531,9 @@ dependencies = [ [[package]] name = "opentelemetry-otlp" -version = "0.31.0" +version = "0.31.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a2366db2dca4d2ad033cad11e6ee42844fd727007af5ad04a1730f4cb8163bf" +checksum = "1f69cd6acbb9af919df949cd1ec9e5e7fdc2ef15d234b6b795aaa525cc02f71f" dependencies = [ "http", "opentelemetry", @@ -3603,7 +3577,7 @@ dependencies = [ "futures-util", "opentelemetry", "percent-encoding", - "rand 0.9.2", + "rand 0.9.4", "thiserror 2.0.16", "tokio", "tokio-stream", @@ -3738,7 +3712,7 @@ dependencies = [ name = "paste" version = "1.0.15" dependencies = [ - "pastey 0.2.1", + "pastey 0.2.2", ] [[package]] @@ -3749,9 +3723,9 @@ checksum = "35fb2e5f958ec131621fdd531e9fc186ed768cbe395337403ae56c17a74c68ec" [[package]] name = "pastey" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b867cad97c0791bbd3aaa6472142568c6c9e8f71937e98379f584cfb0cf35bec" +checksum = "c5a797f0e07bdf071d15742978fc3128ec6c22891c31a3a931513263904c982a" [[package]] name = "pbkdf2" @@ -3763,12 +3737,6 @@ dependencies = [ "hmac 0.12.1", ] -[[package]] -name = "peeking_take_while" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099" - [[package]] name = "peg" version = "0.8.5" @@ -3862,7 +3830,7 @@ dependencies = [ "phf_shared", "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -3874,17 +3842,6 @@ dependencies = [ "siphasher", ] -[[package]] -name = "picky-asn1" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "295eea0f33c16be21e2a98b908fdd4d73c04dd48c8480991b76dbcf0cb58b212" -dependencies = [ - "oid", - "serde", - "serde_bytes", -] - [[package]] name = "picky-asn1" version = "0.10.1" @@ -3896,41 +3853,17 @@ dependencies = [ "serde_bytes", ] -[[package]] -name = "picky-asn1-der" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5df7873a9e36d42dadb393bea5e211fe83d793c172afad5fb4ec846ec582793f" -dependencies = [ - "picky-asn1 0.8.0", - "serde", - "serde_bytes", -] - [[package]] name = "picky-asn1-der" version = "0.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b491eb61603cba1ad5c6be0269883538f8d74136c35e3641a840fb0fbcd41efc" dependencies = [ - "picky-asn1 0.10.1", + "picky-asn1", "serde", "serde_bytes", ] -[[package]] -name = "picky-asn1-x509" -version = "0.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c5f20f71a68499ff32310f418a6fad8816eac1a2859ed3f0c5c741389dd6208" -dependencies = [ - "base64 0.21.7", - "oid", - "picky-asn1 0.8.0", - "picky-asn1-der 0.4.1", - "serde", -] - [[package]] name = "picky-krb" version = "0.12.0" @@ -3952,7 +3885,7 @@ checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -3983,21 +3916,38 @@ dependencies = [ "spki", ] +[[package]] +name = "pkcs5" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e847e2c91a18bfa887dd028ec33f2fe6f25db77db3619024764914affe8b69a6" +dependencies = [ + "aes", + "cbc", + "der 0.7.10", + "pbkdf2", + "scrypt", + "sha2 0.10.9", + "spki", +] + [[package]] name = "pkcs8" version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" dependencies = [ "der 0.7.10", + "pkcs5", + "rand_core 0.6.4", "spki", ] [[package]] name = "pkg-config" -version = "0.3.32" +version = "0.3.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" +checksum = "19f132c84eca552bf34cab8ec81f1c1dcc229b811638f9d283dceabe58c5569e" [[package]] name = "png" @@ -4034,7 +3984,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25" dependencies = [ "cfg-if", - "cpufeatures", + "cpufeatures 0.2.17", "opaque-debug", "universal-hash", ] @@ -4076,7 +4026,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "664ec5419c51e34154eec046ebcba56312d5a2fc3b09a06da188e1ad21afadf6" dependencies = [ "proc-macro2", - "syn 2.0.101", + "syn", ] [[package]] @@ -4099,9 +4049,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.95" +version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "02b3e5e68a3a1a02aad3ec490a98007cbc13c37cbe84a3cd7b8e406d76e7f778" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" dependencies = [ "unicode-ident", ] @@ -4126,7 +4076,7 @@ dependencies = [ "itertools", "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -4186,7 +4136,7 @@ dependencies = [ "pin-project-lite", "quinn-proto", "quinn-udp", - "rustc-hash 2.1.1", + "rustc-hash", "rustls", "socket2 0.5.9", "thiserror 2.0.16", @@ -4205,9 +4155,9 @@ dependencies = [ "bytes", "getrandom 0.3.3", "lru-slab", - "rand 0.9.2", + "rand 0.9.4", "ring", - "rustc-hash 2.1.1", + "rustc-hash", "rustls", "rustls-pki-types", "slab", @@ -4233,9 +4183,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.40" +version = "1.0.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d" +checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924" dependencies = [ "proc-macro2", ] @@ -4259,14 +4209,25 @@ dependencies = [ [[package]] name = "rand" -version = "0.9.2" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.3", ] +[[package]] +name = "rand" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d2e8e8bcc7961af1fdac401278c6a831614941f6164ee3bf4ce61b7edb162207" +dependencies = [ + "chacha20", + "getrandom 0.4.1", + "rand_core 0.10.0", +] + [[package]] name = "rand_chacha" version = "0.3.1" @@ -4337,7 +4298,7 @@ checksum = "1165225c21bff1f3bbce98f5a1f889949bc902d3575308cc7b0de30b4f6d27c7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -4496,13 +4457,13 @@ dependencies = [ [[package]] name = "rpassword" -version = "7.4.0" +version = "7.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66d4c8b64f049c6721ec8ccec37ddfc3d641c4a7fca57e8f2a89de509c73df39" +checksum = "5ac5b223d9738ef56e0b98305410be40fa0941bf6036c56f1506751e43552d64" dependencies = [ "libc", "rtoolbox", - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -4558,15 +4519,9 @@ dependencies = [ [[package]] name = "rustc-hash" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" - -[[package]] -name = "rustc-hash" -version = "2.1.1" +version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d" +checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe" [[package]] name = "rustc_version" @@ -4605,9 +4560,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.37" +version = "0.23.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4" +checksum = "ef86cd5876211988985292b91c96a8f2d298df24e75989a43a3c73f2d4d8168b" dependencies = [ "aws-lc-rs", "once_cell", @@ -4691,6 +4646,15 @@ version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" +[[package]] +name = "salsa20" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213" +dependencies = [ + "cipher", +] + [[package]] name = "same-file" version = "1.0.6" @@ -4754,11 +4718,22 @@ dependencies = [ "tendril", ] +[[package]] +name = "scrypt" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f" +dependencies = [ + "pbkdf2", + "salsa20", + "sha2 0.10.9", +] + [[package]] name = "sd-notify" -version = "0.4.5" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b943eadf71d8b69e661330cb0e2656e31040acf21ee7708e2c238a0ec6af2bf4" +checksum = "3e4ef7359e694bfaf1dd27a30f9d760b54c00dfae9f19bd0c05a39bc9128fe76" dependencies = [ "libc", ] @@ -4827,7 +4802,7 @@ dependencies = [ "phf", "phf_codegen", "precomputed-hash", - "rustc-hash 2.1.1", + "rustc-hash", "servo_arc", "smallvec", ] @@ -4838,9 +4813,9 @@ version = "3.1.4" [[package]] name = "semver" -version = "1.0.27" +version = "1.0.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2" +checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd" [[package]] name = "serde" @@ -4916,7 +4891,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -4960,7 +4935,7 @@ checksum = "175ee3e80ae9982737ca543e96133087cbd9a485eecc3bc4de9c1a37b47ea59c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -4986,9 +4961,9 @@ dependencies = [ [[package]] name = "serde_with" -version = "3.17.0" +version = "3.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "381b283ce7bc6b476d903296fb59d0d36633652b633b27f64db4fb46dcbfc3b9" +checksum = "f05839ce67618e14a09b286535c0d9c94e85ef25469b0e13cb4f844e5593eb19" dependencies = [ "base64 0.22.1", "chrono", @@ -5005,14 +4980,14 @@ dependencies = [ [[package]] name = "serde_with_macros" -version = "3.17.0" +version = "3.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a6d4e30573c8cb306ed6ab1dca8423eec9a463ea0e155f45399455e0368b27e0" +checksum = "cf2ebbe86054f9b45bc3881e865683ccfaccce97b9b4cb53f3039d67f355a334" dependencies = [ "darling", "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -5043,7 +5018,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba" dependencies = [ "cfg-if", - "cpufeatures", + "cpufeatures 0.2.17", "digest 0.10.7", ] @@ -5060,7 +5035,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" dependencies = [ "cfg-if", - "cpufeatures", + "cpufeatures 0.2.17", "digest 0.10.7", ] @@ -5071,8 +5046,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7c5f3b1e2dc8aad28310d8410bd4d7e180eca65fca176c52ab00d364475d0024" dependencies = [ "cfg-if", - "cpufeatures", - "digest 0.11.1", + "cpufeatures 0.2.17", + "digest 0.11.0-rc.12", ] [[package]] @@ -5123,9 +5098,9 @@ checksum = "56199f7ddabf13fe5074ce809e7d3f42b42ae711800501b5b16ea82ad029c39d" [[package]] name = "sketching" -version = "1.9.1" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be22fbf166835f5675ecb15b1b6125dddbd7016d3ffd3489c8415c19197221e4" +checksum = "f5f68524a7f242ae951ac5746490370357ee36c2139344da76256a8dbe5c2a1e" dependencies = [ "gethostname", "num_enum", @@ -5264,20 +5239,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "1.0.109" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" -dependencies = [ - "proc-macro2", - "quote", - "unicode-ident", -] - -[[package]] -name = "syn" -version = "2.0.101" +version = "2.0.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ce2b7fc941b3a24138a0a7cf8e858bfc6a992e7978a068a5c760deb0ed43caf" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" dependencies = [ "proc-macro2", "quote", @@ -5301,7 +5265,7 @@ checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -5343,9 +5307,9 @@ checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1" [[package]] name = "tempfile" -version = "3.26.0" +version = "3.27.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0" +checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd" dependencies = [ "fastrand", "getrandom 0.4.1", @@ -5391,7 +5355,7 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -5402,7 +5366,7 @@ checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -5489,14 +5453,14 @@ checksum = "2d2e76690929402faae40aebdda620a2c0e25dd6d3b9afe48867dfd95991f4bd" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] name = "tokio" -version = "1.49.0" +version = "1.50.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86" +checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d" dependencies = [ "bytes", "libc", @@ -5518,7 +5482,7 @@ checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -5577,7 +5541,7 @@ dependencies = [ "toml_datetime 0.7.5+spec-1.1.0", "toml_parser", "toml_writer", - "winnow", + "winnow 0.7.10", ] [[package]] @@ -5603,7 +5567,7 @@ checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a" dependencies = [ "indexmap 2.9.0", "toml_datetime 0.6.11", - "winnow", + "winnow 0.7.10", ] [[package]] @@ -5612,7 +5576,7 @@ version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b551886f449aa90d4fe2bdaa9f4a2577ad2dde302c61ecf262d80b116db95c10" dependencies = [ - "winnow", + "winnow 0.7.10", ] [[package]] @@ -5663,15 +5627,15 @@ dependencies = [ [[package]] name = "totp-rs" -version = "5.7.0" +version = "5.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f124352108f58ef88299e909f6e9470f1cdc8d2a1397963901b4a6366206bf72" +checksum = "a2b36a9dd327e9f401320a2cb4572cc76ff43742bcfc3291f871691050f140ba" dependencies = [ "base32", "constant_time_eq", "hmac 0.12.1", "qrcodegen-image", - "rand 0.9.2", + "rand 0.9.4", "serde", "sha1", "sha2 0.10.9", @@ -5748,7 +5712,7 @@ checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -5804,9 +5768,9 @@ dependencies = [ [[package]] name = "tracing-subscriber" -version = "0.3.22" +version = "0.3.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e" +checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319" dependencies = [ "matchers", "nu-ansi-term", @@ -5828,36 +5792,40 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b" [[package]] name = "tss-esapi" -version = "8.0.0-alpha" +version = "8.0.0-alpha.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c1617a46161846de3a3d3e407cd30cb345599bc5e440c3907a59b34b75a2731" +checksum = "5c1751ea94b699404cd8c52fe2f1cb6ba811b8a7d26151298b946b3b8424468e" dependencies = [ "bitfield", "cfg-if", + "digest 0.10.7", + "ecdsa", + "elliptic-curve", "enumflags2", + "getrandom 0.2.16", "hostname-validator", "log", "malloced", "num-derive", "num-traits", - "oid", "paste", - "picky-asn1 0.8.0", - "picky-asn1-x509", + "pkcs8", "regex", "semver", "serde", + "signature", "tss-esapi-sys", + "x509-cert", "zeroize", ] [[package]] name = "tss-esapi-sys" -version = "0.5.0" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "535cd192581c2ec4d5f82e670b1d3fbba6a23ccce8c85de387642051d7cad5b5" +checksum = "a7f972672926a3d3d18ecc04524720e4d20b7d1664a3fb73dbf7d4274196dbd9" dependencies = [ - "bindgen 0.66.1", + "bindgen", "pkg-config", "target-lexicon", ] @@ -5957,9 +5925,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.21.0" +version = "1.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb" +checksum = "ddd74a9687298c6858e9b88ec8935ec45d22e8fd5e6394fa1bd4e99a87789c76" dependencies = [ "getrandom 0.4.1", "js-sys", @@ -6070,7 +6038,7 @@ dependencies = [ "log", "proc-macro2", "quote", - "syn 2.0.101", + "syn", "wasm-bindgen-shared", ] @@ -6105,7 +6073,7 @@ checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -6212,18 +6180,6 @@ dependencies = [ "rustls-pki-types", ] -[[package]] -name = "which" -version = "4.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7" -dependencies = [ - "either", - "home", - "once_cell", - "rustix 0.38.44", -] - [[package]] name = "winapi" version = "0.3.9" @@ -6276,7 +6232,7 @@ checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -6287,7 +6243,7 @@ checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -6570,6 +6526,15 @@ dependencies = [ "memchr", ] +[[package]] +name = "winnow" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0" +dependencies = [ + "memchr", +] + [[package]] name = "wit-bindgen" version = "0.51.0" @@ -6609,7 +6574,7 @@ dependencies = [ "heck", "indexmap 2.9.0", "prettyplease", - "syn 2.0.101", + "syn", "wasm-metadata", "wit-bindgen-core", "wit-component", @@ -6625,7 +6590,7 @@ dependencies = [ "prettyplease", "proc-macro2", "quote", - "syn 2.0.101", + "syn", "wit-bindgen-core", "wit-bindgen-rust", ] @@ -6707,15 +6672,15 @@ checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", "synstructure", ] [[package]] name = "zbus" -version = "5.14.0" +version = "5.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca82f95dbd3943a40a53cfded6c2d0a2ca26192011846a1810c4256ef92c60bc" +checksum = "c3bcbf15c8708d7fc1be0c993622e0a5cbd5e8b52bfa40afa4c3e0cd8d724ac1" dependencies = [ "async-broadcast", "async-executor", @@ -6740,35 +6705,35 @@ dependencies = [ "uds_windows", "uuid", "windows-sys 0.61.2", - "winnow", + "winnow 1.0.2", "zbus_macros", "zbus_names", "zvariant", ] [[package]] name = "zbus_macros" -version = "5.14.0" +version = "5.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "897e79616e84aac4b2c46e9132a4f63b93105d54fe8c0e8f6bffc21fa8d49222" +checksum = "51fa5406ad9175a8c825a931f8cf347116b531b3634fcb0b627c290f1f2516ff" dependencies = [ "proc-macro-crate", "proc-macro2", "quote", - "syn 2.0.101", + "syn", "zbus_names", "zvariant", "zvariant_utils", ] [[package]] name = "zbus_names" -version = "4.3.1" +version = "4.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffd8af6d5b78619bab301ff3c560a5bd22426150253db278f164d6cf3b72c50f" +checksum = "7074f3e50b894eac91750142016d30d0a89be8e67dbfd9704fb875825760e52d" dependencies = [ "serde", - "winnow", + "winnow 1.0.2", "zvariant", ] @@ -6789,7 +6754,7 @@ checksum = "28a6e20d751156648aa063f3800b706ee209a32c0b4d9f24be3d980b01be55ef" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -6809,7 +6774,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", "synstructure", ] @@ -6831,7 +6796,7 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -6864,7 +6829,7 @@ checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn", ] [[package]] @@ -6875,40 +6840,40 @@ checksum = "2fc5a66a20078bf1251bde995aa2fdcc4b800c70b5d92dd2c62abc5c60f679f8" [[package]] name = "zvariant" -version = "5.10.0" +version = "5.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5708299b21903bbe348e94729f22c49c55d04720a004aa350f1f9c122fd2540b" +checksum = "1c1567a6ec68df868cbbfde844cfc6d81649fe5109a62b116b19fabd53e618ee" dependencies = [ "endi", "enumflags2", "serde", - "winnow", + "winnow 1.0.2", "zvariant_derive", "zvariant_utils", ] [[package]] name = "zvariant_derive" -version = "5.10.0" +version = "5.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b59b012ebe9c46656f9cc08d8da8b4c726510aef12559da3e5f1bf72780752c" +checksum = "c7d5b780599bbde114e39d9a0799577fad1ced5105d38515745f7b3099d8ceda" dependencies = [ "proc-macro-crate", "proc-macro2", "quote", - "syn 2.0.101", + "syn", "zvariant_utils", ] [[package]] name = "zvariant_utils" -version = "3.3.0" +version = "3.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f75c23a64ef8f40f13a6989991e643554d9bef1d682a281160cf0c1bc389c5e9" +checksum = "6d464f5733ffa07a3164d656f18533caace9d0638596721355d73256a410d691" dependencies = [ "proc-macro2", "quote", "serde", - "syn 2.0.101", - "winnow", + "syn", + "winnow 1.0.2", ]
Cargo.toml+18 −18 modified@@ -45,21 +45,21 @@ homepage = "https://github.com/himmelblau-idm/himmelblau" repository = "https://github.com/himmelblau-idm/himmelblau" [workspace.dependencies] -libc = "^0.2.182" -pkg-config = "^0.3.32" +libc = "^0.2.186" +pkg-config = "^0.3.33" lazy_static = "^1.4.0" paste = "^1.0.12" serde = { version = "^1.0.228", features = ["derive"] } serde_json = "^1.0.149" -tracing-subscriber = "^0.3.22" +tracing-subscriber = "^0.3.23" tracing = "^0.1.37" himmelblau_unix_common = { path = "src/common" } libhimmelblau = { version = "0.8.18", features = ["broker", "changepassword", "on_behalf_of", "mfa_method_selection", "optional_mfa", "intune_portal_vers_selection"] } -clap = { version = "^4.5", features = ["derive", "env"] } -clap_complete = "^4.5.66" +clap = { version = "^4.6", features = ["derive", "env"] } +clap_complete = "^4.6.3" reqwest = { version = "^0.12.24", features = ["json"] } anyhow = "^1.0.102" -tokio = { version = "^1.49.0", features = ["rt", "macros", "sync", "time", "net", "io-util", "signal", "rt-multi-thread"] } +tokio = { version = "^1.50.0", features = ["rt", "macros", "sync", "time", "net", "io-util", "signal", "rt-multi-thread"] } tokio-util = { version = "^0.7.18", features = ["codec"] } async-trait = "^0.1.89" himmelblau_policies = { path = "src/policies" } @@ -79,27 +79,27 @@ libkrimes = { version = "0.1.0", features = ["keyring"] } argon2 = { version = "0.5.2", features = ["alloc"] } base32 = "^0.5.0" base64 = "^0.22.0" -base64urlsafedata = "0.5.0" +base64urlsafedata = "0.5.5" hex = "^0.4.3" -num_enum = "^0.7.5" +num_enum = "^0.7.6" scim_proto = "^1.6.4" -serde_with = "3.17.0" +serde_with = "3.19.0" time = { version = "^0.3.44", features = ["formatting", "local-offset"] } url = "^2.4.0" urlencoding = "2.1.3" -uuid = { version = "^1.21.0", features = ["v4", "v5"] } +uuid = { version = "^1.23.1", features = ["v4", "v5"] } webauthn-rs-proto = "0.5.0" kanidm_proto = "1.8.1" openssl-sys = "^0.9" -openssl = "^0.10.75" -rand = "^0.9.2" +openssl = "^0.10.79" +rand = "^0.9.4" tss-esapi = "^7.2.0" -sketching = "1.9.1" +sketching = "1.10.0" tracing-forest = "^0.1.6" rusqlite = "^0.37.0" -hashbrown = { version = "0.16.1", features = ["serde", "inline-more"] } -lru = "^0.16.2" -kanidm_lib_crypto = "1.9.1" +hashbrown = { version = "0.17.0", features = ["serde", "inline-more"] } +lru = "^0.18.0" +kanidm_lib_crypto = "1.10.0" kanidm_utils_users = "1.8.1" walkdir = "2" csv = "1.4.0" @@ -121,9 +121,9 @@ tracing-opentelemetry = "0.28.0" tracing-core = "0.1.34" tonic = "0.14.5" compact_jwt = { version = "0.5.3-dev", features = ["msextensions"] } -kanidm-hsm-crypto = { version = "^0.3.5" } +kanidm-hsm-crypto = { version = "^0.3.6" } whoami = "1.6.1" -kanidm_lib_file_permissions = "1.9.1" +kanidm_lib_file_permissions = "1.10.0" md4 = "0.10.2" md-5 = "0.10.6" sha-crypt = "0.5.0"
fuzz/Cargo.toml+2 −2 modified@@ -17,8 +17,8 @@ libfuzzer-sys = "0.4" himmelblau_unix_common = { workspace = true } idmap = { workspace = true } arbitrary = { version = "1.4.2", features = ["derive"] } -tempfile = "3.26.0" -uuid = "1.21.0" +tempfile = "3.27.0" +uuid = "1.23.1" [[bin]] name = "config"
src/broker/Cargo.toml+1 −1 modified@@ -10,7 +10,7 @@ homepage.workspace = true repository.workspace = true [dependencies] -dbus = "0.9.10" +dbus = "0.9.11" himmelblau_unix_common.workspace = true identity_dbus_broker.workspace = true tokio.workspace = true
src/broker-client/Cargo.toml+1 −1 modified@@ -10,4 +10,4 @@ repository.workspace = true [dependencies] serde_json.workspace = true -zbus = "^5.14" +zbus = "^5.15"
src/cli/Cargo.toml+1 −1 modified@@ -25,7 +25,7 @@ clap_complete = { workspace = true } anyhow = { workspace = true } uzers = "^0.12.2" sketching = { workspace = true } -rpassword = "^7.4.0" +rpassword = "^7.5.2" libc.workspace = true libhimmelblau.workspace = true kanidm-hsm-crypto.workspace = true
src/common/Cargo.toml+3 −2 modified@@ -53,11 +53,12 @@ regex = "1.12.3" sha2 = "0.11.0-rc" base64.workspace = true authenticator = { version = "0.5.0", default-features = false, features = ["crypto_openssl"] } -rpassword = "7.4.0" +rpassword = "7.5.2" der = "0.8.0" openidconnect = "4.0.1" oauth2 = "5.0.0" -totp-rs = { version = "5.7.0", features = ["gen_secret", "otpauth", "qr", "serde_support", "zeroize"] } +totp-rs = { version = "5.7.1", features = ["gen_secret", "otpauth", "qr", "serde_support", "zeroize"] } hostname = "0.4.2" qrcodegen = "1.8.0" urlencoding = { workspace = true } +x509-cert = { workspace = true }
src/common/src/tpm.rs+3 −3 modified@@ -272,8 +272,8 @@ pub fn confidential_client_creds<D: crate::db::KeyStoreTxn + Send>( CONFIDENTIAL_CLIENT_SECRET_TAG, }; use crate::idprovider::interface::IdpError; - use kanidm_lib_crypto::x509_cert::der::asn1::Utf8StringRef; - use kanidm_lib_crypto::x509_cert::der::Decode; + use x509_cert::der::asn1::Utf8StringRef; + use x509_cert::der::Decode; use serde_json::Value; let secret_tag = format!("{}/{}", domain, CONFIDENTIAL_CLIENT_SECRET_TAG); @@ -316,7 +316,7 @@ pub fn confidential_client_creds<D: crate::db::KeyStoreTxn + Send>( let cert_tag = format!("{}/{}", domain, CONFIDENTIAL_CLIENT_CERT_TAG); if let Ok(Some(sealed_cert)) = keystore.get_tagged_hsm_key(&cert_tag) { - let cert = kanidm_lib_crypto::x509_cert::Certificate::from_der( + let cert = x509_cert::Certificate::from_der( &hsm.unseal_data(machine_key, &sealed_cert).map_err(|e| { error!("Failed to unseal certificate: {:?}", e); IdpError::KeyStore
src/daemon/Cargo.toml+1 −1 modified@@ -48,7 +48,7 @@ kanidm_lib_file_permissions.workspace = true identity_dbus_broker.workspace = true base64.workspace = true async-trait.workspace = true -sd-notify = "0.4.5" +sd-notify = "0.5.0" libhimmelblau.workspace = true url.workspace = true console-subscriber = { workspace = true, optional = true }
src/daemon/src/daemon.rs+2 −2 modified@@ -1492,7 +1492,7 @@ async fn main() -> ExitCode { if systemd_booted { if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() { - let _ = sd_notify::notify(true, &[NotifyState::Ready, monotonic_usec]); + let _ = sd_notify::notify(&[NotifyState::Ready, monotonic_usec]); } } @@ -1544,7 +1544,7 @@ async fn main() -> ExitCode { info!("Signal received, sending down signal to tasks"); if systemd_booted { if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() { - let _ = sd_notify::notify(true, &[NotifyState::Stopping, monotonic_usec]); + let _ = sd_notify::notify(&[NotifyState::Stopping, monotonic_usec]); } }
src/daemon/src/tasks_daemon.rs+2 −2 modified@@ -873,7 +873,7 @@ async fn main() -> ExitCode { if systemd_booted { if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() { - let _ = sd_notify::notify(true, &[NotifyState::Ready, monotonic_usec]); + let _ = sd_notify::notify(&[NotifyState::Ready, monotonic_usec]); } } @@ -924,7 +924,7 @@ async fn main() -> ExitCode { info!("Signal received, shutting down"); if systemd_booted { if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() { - let _ = sd_notify::notify(true, &[NotifyState::Stopping, monotonic_usec]); + let _ = sd_notify::notify(&[NotifyState::Stopping, monotonic_usec]); } }
src/fxhash/Cargo.toml+1 −1 modified@@ -12,4 +12,4 @@ homepage.workspace = true repository.workspace = true [dependencies] -rustc-hash = "2.1.1" +rustc-hash = "2.1.2"
src/idmap/Cargo.toml+1 −1 modified@@ -19,5 +19,5 @@ tracing.workspace = true uuid.workspace = true [build-dependencies] -cc = "1.2.56" +cc = "1.2.61" bindgen = "0.72.1"
src/paste/Cargo.toml+1 −1 modified@@ -14,4 +14,4 @@ repository.workspace = true #proc-macro = true [dependencies] -pastey = "0.2.1" +pastey = "0.2.2"
src/policies/Cargo.toml+2 −2 modified@@ -25,8 +25,8 @@ base64.workspace = true tokio.workspace = true himmelblau_unix_common = { workspace = true } os-release = "0.1.0" -semver = "1.0.27" +semver = "1.0.28" libhimmelblau.workspace = true uuid.workspace = true libc.workspace = true -tempfile = "3.26.0" +tempfile = "3.27.0"
d9406eaba1eaAdd configurable request_timeout to fix multi-address DNS failures
https://github.com/himmelblau-idm/himmelblauDavid MulderMay 4, 2026Fixed in 3.1.5via llm-release-walk
13 files changed · +161 −32
Cargo.toml+1 −1 modified@@ -54,7 +54,7 @@ serde_json = "^1.0.149" tracing-subscriber = "^0.3.23" tracing = "^0.1.37" himmelblau_unix_common = { path = "src/common" } -libhimmelblau = { version = "0.8.18", features = ["broker", "changepassword", "on_behalf_of", "mfa_method_selection", "optional_mfa", "intune_portal_vers_selection"] } +libhimmelblau = { version = "0.8.18", features = ["broker", "changepassword", "on_behalf_of", "mfa_method_selection", "optional_mfa", "intune_portal_vers_selection", "set_timeout"] } clap = { version = "^4.6", features = ["derive", "env"] } clap_complete = "^4.6.3" reqwest = { version = "^0.12.24", features = ["json"] }
docs-xml/himmelblauconf/base/request_timeout.xml+15 −0 added@@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="UTF-8"?> +<parameter name="request_timeout" + section="global" + type="u64" + rust_type="u64" + documented="true" + domain_specific="false" + order="46"> +<description> +The timeout in seconds for HTTP requests to authentication servers. This includes DNS resolution, connection attempts across all resolved IP addresses, TLS handshake, and HTTP request/response. Increase this value if authentication fails in environments where DNS returns many IP addresses for the same hostname (e.g., 7+ addresses). Default is 10 seconds to accommodate Happy Eyeballs connection attempts across multiple addresses. +</description> +<default>10</default> +<default_const>DEFAULT_REQUEST_TIMEOUT</default_const> +<example>request_timeout = 15</example> +</parameter>
man/man5/himmelblau.conf.5+12 −1 modified@@ -1,4 +1,4 @@ -.TH HIMMELBLAU.CONF "5" "April 2026" "Himmelblau Configuration" "File Formats" +.TH HIMMELBLAU.CONF "5" "May 2026" "Himmelblau Configuration" "File Formats" .SH NAME himmelblau.conf \- Configuration file for Himmelblau, enabling Azure Entra ID authentication on Linux. @@ -756,6 +756,17 @@ Default: 300 .P Example: cache_timeout = 10 +.TP +.B request_timeout +.RE +The timeout in seconds for HTTP requests to authentication servers. This includes DNS resolution, connection attempts across all resolved IP addresses, TLS handshake, and HTTP request/response. Increase this value if authentication fails in environments where DNS returns many IP addresses for the same hostname (e.g., 7+ addresses). Default is 10 seconds to accommodate Happy Eyeballs connection attempts across multiple addresses. + +.P +Default: 10 + +.P +Example: request_timeout = 15 + .TP .B use_etc_skel .RE
nix/modules/himmelblau-options.nix+9 −0 modified@@ -636,6 +636,15 @@ in example = 10; }; + request_timeout = mkOption { + type = types.nullOr (types.ints.unsigned); + default = 10; + description = '' + The timeout in seconds for HTTP requests to authentication servers. This includes DNS resolution, connection attempts across all resolved IP addresses, TLS handshake, and HTTP request/response. Increase this value if authentication fails in environments where DNS returns many IP addresses for the same hostname (e.g., 7+ addresses). Default is 10 seconds to accommodate Happy Eyeballs connection attempts across multiple addresses. + ''; + example = 15; + }; + use_etc_skel = mkOption { type = types.nullOr (types.bool); default = false;
src/cli/src/main.rs+29 −5 modified@@ -522,11 +522,13 @@ async fn confidential_client_access_token( None => "common".to_string(), }; let authority = format!("https://{}/{}", authority_host, tenant_id); + let request_timeout = cfg.get_request_timeout(); let app = match ConfidentialClientApplication::new( &cred_client_id, Some(&authority), client_creds, + Duration::from_secs(request_timeout), ) { Ok(app) => app, Err(e) => { @@ -690,7 +692,7 @@ async fn main() -> ExitCode { return ExitCode::FAILURE; }; - let graph = match Graph::new(DEFAULT_ODC_PROVIDER, &domain, None, None, None).await { + let graph = match Graph::new(DEFAULT_ODC_PROVIDER, &domain, None, None, None, Duration::from_secs($cfg.get_request_timeout())).await { Ok(graph) => graph, Err(e) => { error!("Failed discovering tenant: {:?}", e); @@ -775,8 +777,15 @@ async fn main() -> ExitCode { } macro_rules! client { - ($authority:expr, $transport_key:expr, $cert_key:expr) => {{ - match BrokerClientApplication::new(Some(&$authority), None, $transport_key, $cert_key) { + ($cfg:expr, $authority:expr, $transport_key:expr, $cert_key:expr) => {{ + let request_timeout = $cfg.get_request_timeout(); + match BrokerClientApplication::new( + Some(&$authority), + None, + $transport_key, + $cert_key, + Duration::from_secs(request_timeout), + ) { Ok(app) => app, Err(e) => { error!("Failed creating app: {:?}", e); @@ -818,7 +827,22 @@ async fn main() -> ExitCode { if let Some((domain, access_token)) = confidential_client_access_token( $client_id.clone(), $account_id.clone(), None ).await { - if let Ok(graph) = Graph::new(DEFAULT_ODC_PROVIDER, &domain, None, None, None).await { + let cfg = match HimmelblauConfig::new(Some(DEFAULT_CONFIG_PATH)) { + Ok(c) => c, + Err(_e) => { + error!("Failed to parse {}", DEFAULT_CONFIG_PATH); + return ExitCode::FAILURE; + } + }; + let request_timeout = cfg.get_request_timeout(); + if let Ok(graph) = Graph::new( + DEFAULT_ODC_PROVIDER, + &domain, + None, + None, + None, + Duration::from_secs(request_timeout), + ).await { result = Some((graph, access_token)); } } @@ -887,7 +911,7 @@ async fn main() -> ExitCode { let (graph, domain, authority) = init!(cfg, Some(account_id.clone()), None); let (mut tpm, loadable_transport_key, loadable_cert_key, machine_key) = obtain_host_data!(domain, cfg); - let app = client!(authority, Some(loadable_transport_key), Some(loadable_cert_key)); + let app = client!(cfg, authority, Some(loadable_transport_key), Some(loadable_cert_key)); let user_token = auth(&app, &account_id).await; if let Some(user_token) = &user_token { let token = on_behalf_of_token!(
src/common/src/config.rs+19 −4 modified@@ -34,10 +34,10 @@ use crate::constants::{ DEFAULT_HELLO_PIN_MIN_LEN, DEFAULT_HELLO_PIN_RETRY_COUNT, DEFAULT_HOME_ALIAS, DEFAULT_HOME_ATTR, DEFAULT_HOME_PREFIX, DEFAULT_HSM_PIN_PATH, DEFAULT_ID_ATTR_MAP, DEFAULT_JOIN_TYPE, DEFAULT_ODC_PROVIDER, DEFAULT_OFFLINE_BREAKGLASS_TTL, - DEFAULT_PASSWORD_ONLY_REMOTE_SERVICES_DENY_LIST, DEFAULT_POLICIES_DB_DIR, DEFAULT_SELINUX, - DEFAULT_SFA_FALLBACK_ENABLED, DEFAULT_SHELL, DEFAULT_SOCK_PATH, DEFAULT_TASK_SOCK_PATH, - DEFAULT_TPM_TCTI_NAME, DEFAULT_USER_MAP_FILE, DEFAULT_USE_ETC_SKEL, MAPPED_NAME_CACHE, - SERVER_CONFIG_PATH, + DEFAULT_PASSWORD_ONLY_REMOTE_SERVICES_DENY_LIST, DEFAULT_POLICIES_DB_DIR, + DEFAULT_REQUEST_TIMEOUT, DEFAULT_SELINUX, DEFAULT_SFA_FALLBACK_ENABLED, DEFAULT_SHELL, + DEFAULT_SOCK_PATH, DEFAULT_TASK_SOCK_PATH, DEFAULT_TPM_TCTI_NAME, DEFAULT_USER_MAP_FILE, + DEFAULT_USE_ETC_SKEL, MAPPED_NAME_CACHE, SERVER_CONFIG_PATH, }; use crate::mapping::{MappedNameCache, Mode}; use crate::unix_config::{HomeAttr, HsmType}; @@ -922,6 +922,21 @@ mod tests { assert_eq!(config_empty.get_connection_timeout(), 30); } + #[test] + fn test_get_request_timeout() { + let config_data = r#" + [global] + request_timeout = 15 + "#; + + let temp_file = create_temp_config(config_data); + let config = HimmelblauConfig::new(Some(&temp_file)).unwrap(); + + assert_eq!(config.get_request_timeout(), 15); + let config_empty = create_empty_config(); + assert_eq!(config_empty.get_request_timeout(), DEFAULT_REQUEST_TIMEOUT); + } + #[test] fn test_get_idmap_range() { let config_data = r#"
src/common/src/constants.rs+1 −0 modified@@ -41,6 +41,7 @@ pub const DEFAULT_GRAPH: &str = "https://graph.microsoft.com"; pub const DEFAULT_APP_ID: &str = "b743a22d-6705-4147-8670-d92fa515ee2b"; pub const DRS_APP_ID: &str = "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9"; pub const DEFAULT_CONN_TIMEOUT: u64 = 30; +pub const DEFAULT_REQUEST_TIMEOUT: u64 = 10; pub const DEFAULT_CACHE_TIMEOUT: u64 = 300; pub const DEFAULT_SELINUX: bool = true; pub const DEFAULT_HSM_PIN_PATH: &str = "/var/lib/himmelblaud/hsm-pin";
src/common/src/idprovider/common.rs+7 −1 modified@@ -663,7 +663,13 @@ macro_rules! no_op_prt_token_fetch { #[macro_export] macro_rules! entra_id_refresh_token_token_fetch { ($self:ident, $refresh_token:ident, $scopes:ident) => {{ - let client = PublicClientApplication::new(BROKER_APP_ID, None).map_err(|e| { + let request_timeout = $self.config.lock().await.get_request_timeout(); + let client = PublicClientApplication::new( + BROKER_APP_ID, + None, + std::time::Duration::from_secs(request_timeout), + ) + .map_err(|e| { error!("Failed to create public client application: {:?}", e); IdpError::BadRequest })?;
src/common/src/idprovider/himmelblau.rs+40 −14 modified@@ -202,21 +202,24 @@ impl HimmelblauMultiProvider { if oidc_issuer_url.is_none() { for domain in domains { debug!("Adding provider for domain {}", domain); - let (authority_host, tenant_id, graph_url, odc_provider) = { + let (authority_host, tenant_id, graph_url, odc_provider, app_id) = { let cfg = config.lock().await; ( cfg.get_authority_host(&domain), cfg.get_tenant_id(&domain), cfg.get_graph_url(&domain), cfg.get_odc_provider(&domain), + cfg.get_app_id(&domain), ) }; + let request_timeout = config.lock().await.get_request_timeout(); let graph = match Graph::new( &odc_provider, &domain, Some(&authority_host), tenant_id.as_deref(), graph_url.as_deref(), + Duration::from_secs(request_timeout), ) .await { @@ -226,12 +229,17 @@ impl HimmelblauMultiProvider { continue; } }; - let app_id = config.lock().await.get_app_id(&domain); - let app = BrokerClientApplication::new(None, app_id.as_deref(), None, None) - .map_err(|e| { - error!("Failed initializing provider: {:?}", e); - anyhow!("{:?}", e) - })?; + let app = BrokerClientApplication::new( + None, + app_id.as_deref(), + None, + None, + Duration::from_secs(request_timeout), + ) + .map_err(|e| { + error!("Failed initializing provider: {:?}", e); + anyhow!("{:?}", e) + })?; let provider = HimmelblauProvider::new(app, &config, &domain, graph, &idmap) .map_err(|e| { error!("Failed to initialize the provider: {:?}", e); @@ -1165,10 +1173,12 @@ impl IdProvider for HimmelblauProvider { (authority_host, tenant_id) }; let authority = format!("https://{}/{}", authority_host, tenant_id); + let request_timeout = self.config.lock().await.get_request_timeout(); let app = ConfidentialClientApplication::new( $client_id, Some(&authority), $client_credential, + Duration::from_secs(request_timeout), ) .map_err(|e| { error!(?e, "Failed initializing confidential client"); @@ -1491,7 +1501,13 @@ impl IdProvider for HimmelblauProvider { } } RefreshCacheEntry::RefreshToken(refresh_token) => { - let client = PublicClientApplication::new(BROKER_APP_ID, None).map_err(|e| { + let request_timeout = self.config.lock().await.get_request_timeout(); + let client = PublicClientApplication::new( + BROKER_APP_ID, + None, + Duration::from_secs(request_timeout), + ) + .map_err(|e| { error!("Failed to create public client application: {:?}", e); IdpError::BadRequest })?; @@ -2754,7 +2770,12 @@ impl IdProvider for HimmelblauProvider { } } else if let Some(RefreshCacheEntry::RefreshToken(refresh_token)) = refresh_cache_entry { // We have a refresh token, exchange that for an access token - let app = match PublicClientApplication::new(BROKER_APP_ID, None) { + let request_timeout = self.config.lock().await.get_request_timeout(); + let app = match PublicClientApplication::new( + BROKER_APP_ID, + None, + std::time::Duration::from_secs(request_timeout), + ) { Ok(app) => app, Err(e) => { error!("Failed to create PublicClientApplication: {:?}", e); @@ -4927,11 +4948,16 @@ impl HimmelblauProvider { if vers.is_empty() { vers = vec!["1.2511.11".to_string()]; } - let intune = IntuneForLinux::new(endpoints, Some(&vers[vers.len() - 1])) - .map_err(|e| { - error!(?e, "Intune device enrollment failed."); - IdpError::BadRequest - })?; + let request_timeout = self.config.lock().await.get_request_timeout(); + let intune = IntuneForLinux::new( + endpoints, + Some(&vers[vers.len() - 1]), + std::time::Duration::from_secs(request_timeout), + ) + .map_err(|e| { + error!(?e, "Intune device enrollment failed."); + IdpError::BadRequest + })?; let device_id = match device_id { Some(v) => v.to_string(), None => self
src/common/src/idprovider/openidconnect.rs+3 −0 modified@@ -360,8 +360,11 @@ impl OidcApplication { })? }; + let request_timeout = config.lock().await.get_request_timeout(); let http_client = reqwest::ClientBuilder::new() .redirect(reqwest::redirect::Policy::none()) + .connect_timeout(std::time::Duration::from_secs(request_timeout / 2)) + .timeout(std::time::Duration::from_secs(request_timeout)) .build() .map_err(|e| { error!(?e, "Failed to build HTTP client for OIDC");
src/daemon/src/tasks_daemon.rs+2 −0 modified@@ -643,12 +643,14 @@ async fn handle_tasks(stream: UnixStream, cfg: &HimmelblauConfig) { let authority_host = cfg.get_authority_host(domain); let tenant_id = cfg.get_tenant_id(domain); let graph_url = cfg.get_graph_url(domain); + let request_timeout = cfg.get_request_timeout(); if let Ok(graph) = Graph::new( &cfg.get_odc_provider(domain), domain, Some(&authority_host), tenant_id.as_deref(), graph_url.as_deref(), + Duration::from_secs(request_timeout), ) .await {
src/pam/src/pam/mod.rs+6 −1 modified@@ -606,7 +606,12 @@ impl PamHooks for PamKanidm { None => "common".to_string(), }; let authority = format!("https://{}/{}", cfg.get_authority_host(domain), tenant_id); - let app = match PublicClientApplication::new(BROKER_APP_ID, Some(&authority)) { + let request_timeout = cfg.get_request_timeout(); + let app = match PublicClientApplication::new( + BROKER_APP_ID, + Some(&authority), + Duration::from_secs(request_timeout), + ) { Ok(app) => app, Err(e) => { error!(err = ?e, "PublicClientApplication");
src/policies/src/policies.rs+17 −5 modified@@ -50,9 +50,17 @@ pub async fn apply_intune_policy( "Applying policies for user and device" ); - let graph = Graph::new(&config.get_odc_provider(domain), domain, None, None, None) - .await - .map_err(|e| anyhow!(e))?; + let request_timeout = config.get_request_timeout(); + let graph = Graph::new( + &config.get_odc_provider(domain), + domain, + None, + None, + None, + Duration::from_secs(request_timeout), + ) + .await + .map_err(|e| anyhow!(e))?; let endpoints = graph .intune_service_endpoints(graph_token) @@ -68,8 +76,12 @@ pub async fn apply_intune_policy( if vers.is_empty() { vers = vec!["1.2511.11".to_string()]; } - let intune = - IntuneForLinux::new(endpoints, Some(&vers[vers.len() - 1])).map_err(|e| anyhow!(e))?; + let intune = IntuneForLinux::new( + endpoints, + Some(&vers[vers.len() - 1]), + Duration::from_secs(request_timeout), + ) + .map_err(|e| anyhow!(e))?; let token = UserToken { token_type: String::new(),
f9b2186256e7feat(firefox): Update Firefox extension to v1.8.0
https://github.com/himmelblau-idm/himmelblauBash BandicootMar 10, 2026Fixed in 3.1.5via llm-release-walk
3 files changed · +3 −3
src/sso-policies/scripts/postinst+1 −1 modified@@ -5,7 +5,7 @@ set -e # Merges Firefox extension configuration into existing policies without overwriting # (Chrome/Chromium use separate policy files per application, so no merging needed) -FIREFOX_EXTENSION_URL="https://github.com/siemens/linux-entra-sso/releases/download/v1.3.1/linux_entra_sso-1.3.1.xpi" +FIREFOX_EXTENSION_URL="https://github.com/siemens/linux-entra-sso/releases/download/v1.8.0/linux_entra_sso-1.8.0.xpi" # Function to merge Firefox extension into policies.json merge_firefox_policy() {
src/sso-policies/scripts/postrm+1 −1 modified@@ -5,7 +5,7 @@ set -e # Removes Firefox extension configuration that was merged during install # (Chrome/Chromium policy files are handled by package manager directly) -FIREFOX_EXTENSION_URL="https://github.com/siemens/linux-entra-sso/releases/download/v1.3.1/linux_entra_sso-1.3.1.xpi" +FIREFOX_EXTENSION_URL="https://github.com/siemens/linux-entra-sso/releases/download/v1.8.0/linux_entra_sso-1.8.0.xpi" # Function to remove Firefox extension from policies.json remove_firefox_policy() {
src/sso-policies/src/firefox/policies.json+1 −1 modified@@ -2,7 +2,7 @@ "policies": { "Extensions": { "Install": [ - "https://github.com/siemens/linux-entra-sso/releases/download/v1.3.1/linux_entra_sso-1.3.1.xpi" + "https://github.com/siemens/linux-entra-sso/releases/download/v1.8.0/linux_entra_sso-1.8.0.xpi" ] } }
Vulnerability mechanics
Root cause
"Missing local-part (username) comparison in token validation allows a user in the same Entra ID tenant to authenticate as another user."
Attack vector
An attacker who is a valid user within the same Entra ID domain can unlock another user's locked GDM session by scanning the QR code displayed on the lock screen with their own phone and signing with their own passkey [patch_id=2749085]. Entra's passwordless caBLE flow returns a token whose `spn` contains the attacker's UPN (e.g., `bob@example.com`). The `token_validate` function compares the requested `account_id` (e.g., `alice@example.com`) against the token's `spn`; because both users share the same domain, `domains_are_aliases()` returns true, and the missing local-part comparison causes validation to pass [patch_id=2749085]. The daemon then builds a Unix user token using the victim's `account_id` for UID/GID lookup, unlocking the victim's session even though the authenticating human was the attacker [patch_id=2749085].
Affected code
The vulnerability resides in the `token_validate` function within `src/common/src/idprovider/himmelblau.rs` [patch_id=2749085][patch_id=2749091]. The function splits the `account_id` and the token's `spn` into local part and domain, but the original code only compared the domains via `domains_are_aliases()` — the local parts (usernames before `@`) were never compared [patch_id=2749085]. This allowed any user in the same Entra ID tenant to authenticate as any other user.
What the fix does
Both patches [patch_id=2749085] and [patch_id=2749091] apply the same logic to two locations in `token_validate`. The fix extracts both the local part and the domain from `account_id` and `spn` using `split_username()`, then adds a new condition: `local1.to_lowercase() != local2.to_lowercase() || !domains_match` [patch_id=2749085]. Previously the code only checked `!domains_match`. This ensures that even when two domains are aliases in the same tenant, the usernames before the `@` sign must match case-insensitively, preventing a different user from authenticating under another user's identity [patch_id=2749085].
Preconditions
- authAttacker must be a valid user within the same Entra ID domain as the victim
- configVictim must have a locked GDM session with a QR code displayed
- inputAttacker must have a phone capable of scanning the QR code and signing with their own passkey
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.