v2.1: build(deps): bump rustls from 0.23.17 to 0.23.18 (backport of #3772)

[mergify]

Bumps rustls from 0.23.17 to 0.23.18.

Commits

• 33af2c3 Prepare 0.23.18
• ffe646d Add reproducer for bug 2227
• 69b6f74 Record and restore the processed cursor in first_handshake_message
• 4ef3532 Upgrade to mio 1
• 092a164 Manage dependencies via the workspace
• a01bd6b rustls-bench: fix warnings with no features
• 7d74de2 tests: linearize new test code helper
• 499d797 fix: do not send session_ticket(35) extension for TLS 1.3
• faca289 chore(deps): lock file maintenance
• d12f423 fix(deps): update rust crate asn1 to 0.20
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

This is an automatic backport of pull request #3772 done by [Mergify](https://mergify.com).

[mergify]

Cherry-pick of 92ffcab has failed:

On branch mergify/bp/v2.1/pr-3772
Your branch is up to date with 'origin/v2.1'.

You are currently cherry-picking commit 92ffcabea9.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   Cargo.lock
	modified:   programs/sbf/Cargo.lock

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	both modified:   Cargo.toml
	deleted by us:   svm/examples/Cargo.lock

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

[willhickey]

We either need to bump this version or ignore https://rustsec.org/advisories/RUSTSEC-2024-0399

[bw-solana]

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented. Only servers that use rustls::server::Acceptor::accept() are affected.

Servers that use tokio-rustls's LazyConfigAcceptor API are affected.

Servers that use tokio-rustls's TlsAcceptor API are not affected.

Servers that use rustls-ffi's rustls_acceptor_accept API are affected.

I don't believe we use any of the affected APIs.

For stable branches, we generally like to keep dependencies static, so I propose adding the ignore. We can bump version in master.