build(deps): update boring requirement from 4.15.7 to 4.15.8 (#468)

0x676e67 · web-flow · commit 3488f17e9019 · 2025-02-24T11:56:43.000+08:00
See sfackler/rust-openssl#2360 and https://nvd.nist.gov/vuln/detail/CVE-2025-24898. From the rust-openssl PR: > `SSL_select_next_proto` can return a pointer into either the client or server buffers, but the type signature of the function previously only bound the output buffer to the client buffer. This can result in a UAF in situations where the server slice does not point to a long-lived allocation. Thanks to Matt Mastracci for reporting this issue.
diff --git a/Cargo.toml b/Cargo.toml
@@ -114,8 +114,8 @@ ipnet = "2.11.0"
 arc-swap = "1.7.0"
 
 ## boring-tls
-boring2 = { version = "4.15.7", features = ["pq-experimental", "cert-compression"] }
-tokio-boring2 = { version = "4.15.7", features = ["pq-experimental"] }
+boring2 = { version = "4.15.8", features = ["pq-experimental", "cert-compression"] }
+tokio-boring2 = { version = "4.15.8", features = ["pq-experimental"] }
 linked_hash_set = "0.1"
 
 # Optional deps...
