Summary
Running cargo audit on v0.4.9 reports 5 vulnerabilities in aws-lc-sys 0.37.1, all fixable by upgrading to >=0.39.0.
Vulnerabilities
| ID |
Severity |
Title |
Fix |
| RUSTSEC-2026-0047 |
High (7.5) |
PKCS7_verify Signature Validation Bypass |
>=0.38.0 |
| RUSTSEC-2026-0046 |
High (7.5) |
PKCS7_verify Certificate Chain Validation Bypass |
>=0.38.0 |
| RUSTSEC-2026-0048 |
High (7.4) |
CRL Distribution Point Scope Check Logic Error |
>=0.39.0 |
| RUSTSEC-2026-0045 |
Medium (5.9) |
Timing Side-Channel in AES-CCM Tag Verification |
>=0.38.0 |
| RUSTSEC-2026-0044 |
Medium |
X.509 Name Constraints Bypass via Wildcard/Unicode CN |
>=0.39.0 |
Dependency chain
aws-lc-sys 0.37.1
└── aws-lc-rs 1.15.4 (requires aws-lc-sys = "^0.37")
└── rustls 0.23.36
├── lettre 0.11.19 → agent-diva-channels
├── reqwest 0.12.28 → agent-diva-tools
└── tokio-rustls 0.26.4
Manual patching is blocked because aws-lc-rs 1.15.4 pins aws-lc-sys = "^0.37". The fix requires upgrading aws-lc-rs to a version that accepts aws-lc-sys 0.39.x, then updating rustls and downstream crates accordingly.
Additional note
rsa 0.9.10 (RUSTSEC-2023-0071, Marvin Attack) is also flagged — no upstream fix available yet, pulled in via sqlx-mysql.
Tested on: agent-diva v0.4.9, macOS aarch64, cargo-audit latest.
Summary
Running
cargo auditon v0.4.9 reports 5 vulnerabilities inaws-lc-sys 0.37.1, all fixable by upgrading to>=0.39.0.Vulnerabilities
Dependency chain
Manual patching is blocked because
aws-lc-rs 1.15.4pinsaws-lc-sys = "^0.37". The fix requires upgradingaws-lc-rsto a version that acceptsaws-lc-sys 0.39.x, then updatingrustlsand downstream crates accordingly.Additional note
rsa 0.9.10(RUSTSEC-2023-0071, Marvin Attack) is also flagged — no upstream fix available yet, pulled in viasqlx-mysql.Tested on: agent-diva v0.4.9, macOS aarch64, cargo-audit latest.