Bump openssl to 0.10.78 (4 CVEs)

[bddap-bot]

Summary

Bumps transitive openssl crate 0.10.48 -> 0.10.78 via cargo update -p openssl --precise 0.10.78. Patches four high-severity advisories in rust-openssl:

• GHSA-pqf5-4pqq-29f5 (CVE-2026-41676) — Deriver::derive / PkeyCtxRef::derive buffer overflow
• GHSA-8c75-8mhr-p7r9 (CVE-2026-41678) — aes::unwrap_key inverted bounds check
• GHSA-hppc-g8h3-xhp3 — PSK / cookie FFI callback length validation
• GHSA-ghm9-cr32-g9qj (CVE-2026-41681) — MdCtxRef::digest_final stack overflow

All fixed in 0.10.78.

Note

Repo does not compile on modern rustc — traitobject hits E0119 (orphan-impl change). This is pre-existing, independent of the openssl bump, and reproducible on master before the change. Lockfile bump is correct regardless; verification will need an older rustc pinned via rust-toolchain.

Test plan

• cargo update -p openssl --precise 0.10.78 succeeds
• Build (blocked on pre-existing traitobject / rustc incompatibility)

Generated by Claude Code (harness) with model claude-opus-4-7.

[bddap-bot]

Smoke-test attempt failed — transitive dep pin conflict makes any rustc pick impossible:

• maidsafe_utilities pins url = "~1.5.1" (tilde, 1.5.x only).
• url 1.5.1 hits E0713 (NLL drop tightening) on rustc ≥ 1.63.
• openssl-sys 0.9.114 (required by openssl 0.10.78) needs rustc ≥ 1.70.

No single rustc satisfies both. Tried 1.55, 1.60, 1.70, 1.78.

Unblocking would need patching url 1.5.1 (e.g. [patch.crates-io] or forcibly bumping maidsafe_utilities) — out of scope for a security bump. Lockfile change remains correct.

[bddap]

too much effort, archiving repo