Bump regex to fix CVE-2022-24713

[msirringhaus]

CVE-2022-24713

regex is an implementation of regular expressions for the Rust language. The
regex crate features built-in mitigations to prevent denial of service attacks
caused by untrusted regexes, or untrusted input matched by trusted regexes.
Those (tunable) mitigations already provide sane defaults to prevent attacks.
This guarantee is documented and it's considered part of the crate's API.
Unfortunately a bug was discovered in the mitigations designed to prevent
untrusted regexes to take an arbitrary amount of time during parsing, and it's
possible to craft regexes that bypass such mitigations. This makes it possible
to perform denial of service attacks by sending specially crafted regexes to
services accepting user-controlled, untrusted regexes. All versions of the regex
crate before or equal to 1.5.4 are affected by this issue. The fix is include
starting from regex 1.5.5. All users accepting user-controlled regexes are
recommended to upgrade immediately to the latest version of the regex crate.
Unfortunately there is no fixed set of problematic regexes, as there are
practically infinite regexes that could be crafted to exploit this
vulnerability. Because of this, it us not recommend to deny known problematic
regexes.

Upstream commit:
rust-lang/regex@ae70b41

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24713
GHSA-m5pq-gvj9-9vr8
rust-lang/regex@ae70b41
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw

[dandavison]

Thanks!

[msirringhaus]

Will you be cutting a new dot-release for this? We want to fix the CVE on openSUSE, so we either wait if you plan to, or we need to patch it ourselves.