RUSTSEC-2020-0146: arr! macro erases lifetimes

[github-actions]

arr! macro erases lifetimes

Details
Package	generic-array
Version	0.12.3
URL	fizyk20/generic-array#98
Date	2020-04-09
Patched versions	>=0.14.0
Unaffected versions	<0.8.0

Affected versions of this crate allowed unsoundly extending
lifetimes using arr! macro. This may result in a variety of
memory corruption scenarios, most likely use-after-free.

See advisory page for additional details.

[rajivshah3]

cargo tree -i generic-array:0.12.4 shows that a vulnerable version of generic-array is still present:

generic-array v0.12.4
├── block-buffer v0.7.3
│   └── sha2 v0.8.2
│       └── libsecp256k1 v0.3.5
│           └── libp2p-core v0.27.1
│               ├── libp2p v0.35.1
│               │   └── bee-network v0.1.0-alpha (https://github.com/iotaledger/bee.git?rev=acab07e4bcff947c70cde312789a2ef2977c652b#acab07e4)
│               │       ├── bee-protocol v0.1.0-alpha (https://github.com/iotaledger/bee.git?rev=acab07e4bcff947c70cde312789a2ef2977c652b#acab07e4)
│               │       │   └── bee-rest-api v0.1.0-alpha (https://github.com/iotaledger/bee.git?rev=acab07e4bcff947c70cde312789a2ef2977c652b#acab07e4)
│               │       │       └── iota-client v0.5.0-alpha.3 (https://github.com/iotaledger/iota.rs?rev=be869fc47117f996cf040c8466ba4023d70cacfa#be869fc4)
│               │       │           └── iota-core v0.2.0-alpha.3 (https://github.com/iotaledger/iota.rs?rev=be869fc47117f996cf040c8466ba4023d70cacfa#be869fc4)
│               │       │               └── iota-wallet v0.1.0 (/Users/rajiv/wallet.rs)
│               │       └── bee-rest-api v0.1.0-alpha (https://github.com/iotaledger/bee.git?rev=acab07e4bcff947c70cde312789a2ef2977c652b#acab07e4) (*)
│               ├── libp2p-dns v0.27.0
│               │   └── libp2p v0.35.1 (*)
│               ├── libp2p-identify v0.27.0
│               │   └── libp2p v0.35.1 (*)
│               ├── libp2p-mplex v0.27.1
│               │   └── libp2p v0.35.1 (*)
│               ├── libp2p-noise v0.29.0
│               │   └── libp2p v0.35.1 (*)
│               ├── libp2p-swarm v0.27.2
│               │   ├── libp2p v0.35.1 (*)
│               │   └── libp2p-identify v0.27.0 (*)
│               ├── libp2p-tcp v0.27.1
│               │   └── libp2p v0.35.1 (*)
│               └── libp2p-yamux v0.30.1
│                   └── libp2p v0.35.1 (*)
├── crypto-mac v0.7.0
│   └── hmac v0.7.1
│       └── hmac-drbg v0.2.0
│           └── libsecp256k1 v0.3.5 (*)
├── digest v0.8.1
│   ├── hmac v0.7.1 (*)
│   ├── hmac-drbg v0.2.0 (*)
│   ├── libsecp256k1 v0.3.5 (*)
│   └── sha2 v0.8.2 (*)
└── hmac-drbg v0.2.0 (*)

One of the vulnerable paths should be resolved by libp2p/rust-libp2p#1980

[rajivshah3]

Whoops, according to https://rustsec.org/advisories/RUSTSEC-2020-0146.html 0.12.4 is not vulnerable