Bump the cargo group across 2 directories with 2 updates

[dependabot]

Bumps the cargo group with 1 update in the / directory: actix-http.
Bumps the cargo group with 1 update in the /link/sdks/python directory: rustls-webpki.

Updates actix-http from 3.12.0 to 3.12.1

Release notes

Sourced from actix-http's releases.

actix-http: v3.12.1

Notice: This release contains a security fix. Users are encouraged to update to this version ASAP.

• SECURITY: Reject HTTP/1 requests with ambiguous request framing from Content-Length and Transfer-Encoding headers to prevent request smuggling.
• Encode the HTTP/1 Connection: Upgrade header in Camel-Case when camel-case header formatting is enabled.#3953
• Fix HeaderMap iterators' len() and size_hint() implementations for multi-value headers.
• Update rand dependency to 0.10.
• Update sha1 dependency to 0.11.

#3953: actix/actix-web#3953

Commits

• 0fb8945 chore(http): prepare v3.12.1 (#4029)
• 3c056bd Merge commit from fork
• e6d0991 chore(multipart,derive): prepare 0.8.0 (#4027)
• 4434a49 fix(multipart): count ignored fields towards MultipartFormConfig li… (#4026)
• be62050 fix(multipart): set cap for parser buffering (#4025)
• be4566d fix(multipart): do not parse with fixed index not to panic (#4024)
• 6d2c2f4 chore(http): upgrade sha1 to 0.11 (#4022)
• 253cd4f chore: address new advisories (#4023)
• e766ca6 chore: upgrade rand to 0.10.1 (#4021)
• d747959 build(deps): bump EmbarkStudios/cargo-deny-action from 2.0.15 to 2.0.16 (#4018)
• Additional commits viewable in compare view

Updates rustls-webpki from 0.103.11 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

• Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
• For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

• Actually fail closed for URI matching against excluded subtrees by @​djc in rustls/webpki#473
• Prepare 0.103.13 by @​ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

• GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
• GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

• Prepare 0.103.12 by @​djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

Commits

• 2879b2c Prepare 0.103.13
• 2c49773 Improve tests for padding of BitStringFlags
• 4e3c0b3 Correct validation of BIT STRING constraints
• 39c91d2 Actually fail closed for URI matching against excluded subtrees
• 27131d4 Bump version to 0.103.12
• 6ecb876 Clean up stuttery enum variant names
• 318b3e6 Ignore wildcard labels when matching name constraints
• 1219622 Rewrite constraint matching to avoid permissive catch-all branch
• See full diff in compare view

Updates rustls-webpki from 0.103.11 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

• Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
• For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

• Actually fail closed for URI matching against excluded subtrees by @​djc in rustls/webpki#473
• Prepare 0.103.13 by @​ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

• GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
• GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

• Prepare 0.103.12 by @​djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

Commits

• 2879b2c Prepare 0.103.13
• 2c49773 Improve tests for padding of BitStringFlags
• 4e3c0b3 Correct validation of BIT STRING constraints
• 39c91d2 Actually fail closed for URI matching against excluded subtrees
• 27131d4 Bump version to 0.103.12
• 6ecb876 Clean up stuttery enum variant names
• 318b3e6 Ignore wildcard labels when matching name constraints
• 1219622 Rewrite constraint matching to avoid permissive catch-all branch
• See full diff in compare view

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.