VYPR

apk package

wolfi/vector

pkg:apk/wolfi/vector

Vulnerabilities (11)

  • CVE-2026-45784May 19, 2026
    affected < 0.55.0-r6fixed 0.55.0-r6

    `CipherCtxRef::cipher_update_inplace` incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-con

  • CVE-2026-44662MedMay 14, 2026
    affected < 0.55.0-r4fixed 0.55.0-r4

    rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.0 to before 0.10.79, CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_

  • CVE-2026-42327HigMay 14, 2026
    affected < 0.55.0-r4fixed 0.55.0-r4

    rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref wraps the raw bytes with str::from_utf8_unch

  • CVE-2026-41898CriApr 24, 2026
    affected < 0.55.0-r1fixed 0.55.0-r1

    rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the use

  • CVE-2026-41681CriApr 24, 2026
    affected < 0.55.0-r1fixed 0.55.0-r1

    rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the sta

  • CVE-2026-41678CriApr 24, 2026
    affected < 0.55.0-r1fixed 0.55.0-r1

    rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8,

  • CVE-2026-41677CriApr 24, 2026
    affected < 0.55.0-r1fixed 0.55.0-r1

    rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can caus

  • CVE-2026-41676CriApr 24, 2026
    affected < 0.55.0-r1fixed 0.55.0-r1

    rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519,

  • CVE-2026-31812HigMar 10, 2026
    affected < 0.54.0-r3fixed 0.54.0-r3

    Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malf

  • CVE-2026-21895Jan 8, 2026
    affected < 0.55.0-r0fixed 0.55.0-r0

    The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.

  • CVE-2023-49092Nov 28, 2023
    affected < 0.55.0-r0fixed 0.55.0-r0

    RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key