update: rust-openssl

[dongsupark]

Name: rust-openssl
CVEs: CVE-2025-0977
CVSSs: n/a
Action Needed: update to >= 0.10.70

Summary: In openssl versions before 0.10.70, ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers. In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback.

See also https://rustsec.org/advisories/RUSTSEC-2025-0004.html.

Use cases in Flatcar:

• afterburn. (PR overlay afterburn: update rust-openssl to 0.10.70 scripts#2721)
• ue-rs, already fixed the issue. Still need to pull in the changes in flatcar/scripts. (PR overlay coreos-base: update ue-rs 2025-02-04 scripts#2665)

refmap.gentoo: TBD

[dongsupark]

have just realized that ue-rs is not the only use case. We also need to update afterburn.
Upstream PR coreos/afterburn#1164 is still open. We will wait.

[dongsupark]

Done