Update Rust crate ring to 0.17.12 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ring	dependencies	minor	0.13.5 → 0.17.12

GitHub Vulnerability Alerts

CVE-2025-4432

ring::aead::quic::HeaderProtectionKey::new_mask() may panic when overflow checking is enabled. In the QUIC protocol, an attacker can induce this panic by sending a specially-crafted packet. Even unintentionally it is likely to occur in 1 out of every 2**32 packets sent and/or received.

On 64-bit targets operations using ring::aead::{AES_128_GCM, AES_256_GCM} may panic when overflow checking is enabled, when encrypting/decrypting approximately 68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols like TLS and SSH are not affected by this because those protocols break large amounts of data into small chunks. Similarly, most applications will not attempt to encrypt/decrypt 64GB of data in one chunk.

Overflow checking is not enabled in release mode by default, but RUSTFLAGS="-C overflow-checks" or overflow-checks = true in the Cargo.toml profile can override this. Overflow checking is usually enabled by default in debug mode.

---

Release Notes

briansmith/ring (ring)

v0.17.12

============================
Bug fix: #​2447 for denial of service (DoS).

• Fixes a panic in ring::aead::quic::HeaderProtectionKey::new_mask() when
  integer overflow checking is enabled. In the QUIC protocol, an attacker can
  induce this panic by sending a specially-crafted packet. Even unintentionally
  it is likely to occur in 1 out of every 2**32 packets sent and/or received.

• Fixes a panic on 64-bit targets in ring::aead::{AES_128_GCM, AES_256_GCM}
  when overflow checking is enabled, when encrypting/decrypting approximately
  68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols
  like TLS and SSH are not affected by this because those protocols break large
  amounts of data into small chunks. Similarly, most applications will not
  attempt to encrypt/decrypt 64GB of data in one chunk.

Overflow checking is not enabled in release mode by default, but
RUSTFLAGS="-C overflow-checks" or overflow-checks = true in the Cargo.toml
profile can override this. Overflow checking is usually enabled by default in
debug mode.

v0.17.1

============================
Support for aarch64-*-linux-uclibc targets was removed, as there do not seem to
be any such targets.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.