From a1a29b5ec82fd8a99ffe27336666e8967da2eea5 Mon Sep 17 00:00:00 2001
From: Markus Unterwaditzer <markus-tarpit+git@unterwaditzer.net>
Date: Thu, 2 Apr 2026 00:43:53 +0200
Subject: [PATCH] Upgrade rustls-webpki to fix CVE

We have two versions of rustls-webpki in our deptree:

- One used in the ring backend, which we're upgrading here
- One used in the rustcrypto backend, which we can't upgrade and
  therefore have to ignore the CVE anyway.

The ring backend is the one we actually use in release builds.
rustcrypto is only used during development builds to make compilation
simpler.
---
 .cargo/audit.toml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
index 6351cf6..f657580 100644
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -8,4 +8,8 @@ ignore = [
     # user-input. we could get rid of this warning by disabling the image
     # dependency in adb-client.
     "RUSTSEC-2024-0436",
+    # rustls-webpki 0.102.8 CRL Distribution Point flaw (via rustls-rustcrypto).
+    # Only affects dev builds, production firmware uses ring-tls.
+    # TODO: Remove once rustls-rustcrypto releases a version newer than 0.0.2-alpha.
+    "RUSTSEC-2026-0049",
 ]