Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo audit multiple findings #1808

Closed
ghost opened this issue Mar 23, 2022 · 1 comment
Closed

cargo audit multiple findings #1808

ghost opened this issue Mar 23, 2022 · 1 comment

Comments

@ghost
Copy link

ghost commented Mar 23, 2022
edited by ghost
Loading

is it possible to get these fixed in an upcoming version please?
using default settings for cargo audit the following are returned (output truncated for brevity). a cargo update on next did not seem to help resolve these

On next:

Crate:         chrono
Version:       0.4.19
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
Dependency tree:
chrono 0.4.19
├── tera 1.15.0
│   └── libs 0.1.0
│       ├── zola 0.16.0
│       ├── utils 0.1.0
│       │   ├── zola 0.16.0
│       │   ├── templates 0.1.0
│       │   │   ├── site 0.1.0
│       │   │   │   └── zola 0.16.0
│       │   │   └── rendering 0.1.0
│       │   │       ├── templates 0.1.0
│       │   │       └── library 0.1.0
│       │   │           ├── templates 0.1.0
│       │   │           ├── site 0.1.0
│       │   │           └── search 0.1.0
│       │   │               ├── zola 0.16.0
│       │   │               └── site 0.1.0
│       │   ├── site 0.1.0
│       │   ├── rendering 0.1.0
│       │   ├── link_checker 0.1.0
│       │   │   ├── site 0.1.0
│       │   │   └── rendering 0.1.0
│       │   ├── library 0.1.0
│       │   ├── imageproc 0.1.0
│       │   │   ├── templates 0.1.0
│       │   │   └── site 0.1.0
│       │   ├── front_matter 0.1.0
│       │   │   ├── zola 0.16.0
│       │   │   ├── site 0.1.0
│       │   │   ├── rendering 0.1.0
│       │   │   └── library 0.1.0
│       │   └── config 0.1.0
│       │       ├── templates 0.1.0
│       │       ├── site 0.1.0
│       │       ├── search 0.1.0
│       │       ├── rendering 0.1.0
│       │       ├── link_checker 0.1.0
│       │       ├── library 0.1.0
│       │       └── imageproc 0.1.0
│       ├── templates 0.1.0
│       ├── site 0.1.0
│       ├── search 0.1.0
│       ├── rendering 0.1.0
│       ├── link_checker 0.1.0
│       ├── library 0.1.0
│       ├── imageproc 0.1.0
│       ├── front_matter 0.1.0
│       ├── errors 0.1.0
│       │   ├── zola 0.16.0
│       │   ├── utils 0.1.0
│       │   ├── templates 0.1.0
│       │   ├── site 0.1.0
│       │   ├── search 0.1.0
│       │   ├── rendering 0.1.0
│       │   ├── link_checker 0.1.0
│       │   ├── library 0.1.0
│       │   ├── imageproc 0.1.0
│       │   ├── front_matter 0.1.0
│       │   └── config 0.1.0
│       └── config 0.1.0
└── chrono-tz 0.6.1
    └── tera 1.15.0

Crate:         time
Version:       0.1.43
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree:
time 0.1.43

Crate:         ws
Version:       0.9.2
Title:         Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory
Date:          2020-09-25
ID:            RUSTSEC-2020-0043
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0043
Solution:      No safe upgrade is available!
Dependency tree:
ws 0.9.2
└── zola 0.16.0

Crate:         net2
Version:       0.2.37
Warning:       unmaintained
Title:         `net2` crate has been deprecated; use `socket2` instead
Date:          2020-05-01
ID:            RUSTSEC-2020-0016
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.37
├── miow 0.2.2
└── mio 0.6.23

error: 3 vulnerabilities found!
warning: 1 allowed warning found

On master:

Crate:         chrono
Version:       0.4.19
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
...

Crate:         regex
Version:       1.5.4
Title:         Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:          2022-03-08
ID:            RUSTSEC-2022-0013
URL:           https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:      Upgrade to >=1.5.5
...

Crate:         thread_local
Version:       1.1.3
Title:         Data race in `Iter` and `IterMut`
Date:          2022-01-23
ID:            RUSTSEC-2022-0006
URL:           https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:      Upgrade to >=1.1.4
...

Crate:         time
Version:       0.1.43
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
...

Crate:         ws
Version:       0.9.1
Title:         Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory
Date:          2020-09-25
ID:            RUSTSEC-2020-0043
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0043
Solution:      No safe upgrade is available!
...

Crate:         difference
Version:       2.0.0
Warning:       unmaintained
Title:         difference is unmaintained
Date:          2020-12-20
ID:            RUSTSEC-2020-0095
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0095
...

Crate:         net2
Version:       0.2.37
Warning:       unmaintained
Title:         `net2` crate has been deprecated; use `socket2` instead
Date:          2020-05-01
ID:            RUSTSEC-2020-0016
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0016
...

Crate:         crossbeam-channel
Version:       0.5.2
Warning:       yanked
...

Crate:         crossbeam-utils
Version:       0.8.6
Warning:       yanked
...

Crate:         socket2
Version:       0.4.3
Warning:       yanked
...

error: 5 vulnerabilities found!
warning: 5 allowed warnings found
@Keats
Copy link
Collaborator

Keats commented Mar 23, 2022

chrono has been removed from zola but will stay unless there's a crate that can do strftime formatting for time.

ws is listed in #1729 (comment) to be replaced as it's not maintained anymore.

The rest seem to be sub-dependencies, some of our dependencies are not maintained anymore but for the rest we try to keep to the most recent versions - I can't guarantee it's the same for third party dependencies.

TL;DR: some of it will be fixed, some won't

@Keats Keats closed this as completed Mar 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Keats