RUSTSEC-2024-0336: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

[github-actions]

rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input

Details
Package	rustls
Version	0.20.9
URL	GHSA-6g7w-8wpp-frhj
Date	2024-04-19
Patched versions	>=0.23.5,>=0.22.4, <0.23.0,>=0.21.11, <0.22.0

If a close_notify alert is received during a handshake, complete_io
does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io
and are not affected.

rustls::Stream and rustls::StreamOwned types use
complete_io and are affected.

See advisory page for additional details.

[tnull]

So the good news is that our production code isn't affected by this as we use async reqwest which uses rustls-tokio.

However, our tests rely on an unpatched version as we're currently stuck on an old electrum-client version (0.15.1), since everything above relies on rust-bitcoin 0.31. So fixing this is really blocked until LDK upgrades to 0.31.

[tnull]

This should have been addressed by #358, as part of which we were able to upgrade the electrum-client.