fix: batch simple dependency bumps

[evervault-dependencies]

Linear issue: COM-215

Batch of 3 simple dependency bumps to remediate Dependabot HIGH-severity advisories against the openssl crate. All three CVEs are fixed by the same patch-level bump: openssl 0.10.72 → 0.10.78 (and matching openssl-sys 0.9.108 → 0.9.116). No source changes are required — evervault-cli does not call any openssl API directly.

Highest Severity: HIGH
Earliest SLA Deadline: 2026-06-04T09:36:28.113Z

Changes

• crates/ev-cli/Cargo.toml: bump openssl from 0.10.72 to 0.10.78 (vendored feature unchanged)
• Cargo.lock: refresh openssl to 0.10.78, openssl-sys to 0.9.116

CVEs addressed

1. CVE-2026-41681 — MdCtxRef::digest_final() OOB write

• Severity: HIGH | CVSS: 0
• SLA Deadline: 2026-06-04T09:36:28.113Z
• Affected: rust-openssl >= 0.10.39, < 0.10.78 → Fixed in 0.10.78
• Summary: MdCtxRef::digest_final() unconditionally writes EVP_MD_CTX_size(ctx) bytes into the caller's output buffer with no length check, causing an OOB write reachable from safe Rust.
• Dependabot Alert: https://github.com/evervault/evervault-cli/security/dependabot/48
• Advisory: GHSA-ghm9-cr32-g9qj

2. CVE-2026-41678 — aes::unwrap_key() OOB write

• Severity: HIGH | CVSS: 0
• SLA Deadline: 2026-06-04T09:36:28.113Z
• Affected: rust-openssl >= 0.10.24, < 0.10.78 → Fixed in 0.10.78
• Summary: Inverted bounds assertion in openssl::aes::unwrap_key() (out.len() + 8 <= in_.len() reversed from intended out.len() >= in_.len() - 8) allows an OOB write past the end of the output buffer from a safe public function.
• Dependabot Alert: https://github.com/evervault/evervault-cli/security/dependabot/50
• Advisory: GHSA-8c75-8mhr-p7r9

3. CVE-2026-41676 — Deriver::derive heap/stack overflow

• Severity: HIGH | CVSS: 0
• SLA Deadline: 2026-06-04T09:36:28.113Z
• Affected: rust-openssl >= 0.9.27, < 0.10.78 → Fixed in 0.10.78
• Summary: Deriver::derive and PkeyCtxRef::derive pass an in/out length that OpenSSL 1.1.x X25519/X448/DH/HKDF-extract implementations ignore, unconditionally writing the full shared secret and causing a heap/stack overflow from safe Rust. OpenSSL 3.x is not affected.
• Dependabot Alert: https://github.com/evervault/evervault-cli/security/dependabot/52
• Advisory: GHSA-pqf5-4pqq-29f5

Exposure assessment

A repo-wide grep for openssl/MessageDigest/Hasher/digest_final/EVP_/Deriver/PkeyCtx/unwrap_key against *.rs returns zero matches — no Rust file in the workspace calls any openssl API directly. The direct dependency in crates/ev-cli/Cargo.toml exists only to toggle the vendored feature for transitive consumers (aws-nitro-enclaves-cose, aws-nitro-enclaves-image-format, native-tls), none of which exercise the vulnerable APIs. Practical exploitability is very low, but Dependabot flags all three as HIGH severity and the SLA must be met.

Validation

• openssl 0.10.78 and openssl-sys 0.9.116 are now the sole resolved versions in Cargo.lock.
• Patch-level bump within the same minor; no source changes required.