-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update http crate to fix security vulnerability #7725
Conversation
Codecov Report
@@ Coverage Diff @@
## master #7725 +/- ##
========================================
- Coverage 81.8% 81.8% -0.1%
========================================
Files 241 238 -3
Lines 50496 50469 -27
========================================
- Hits 41326 41288 -38
- Misses 9170 9181 +11 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! @jstarry I'm very glad for your quick and well-informed response to new security advisory incident!
@@ -1427,7 +1427,7 @@ dependencies = [ | |||
|
|||
[[package]] | |||
name = "http" | |||
version = "0.1.18" | |||
version = "0.1.21" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I double-checked this new version is actually not vulnerable anymore: hyperium/http@v0.1.18...v0.1.21
* Update http to fix security vulnerability * Ignore RUSTSEC because they incorrectly says http 0.1.21 is vulnerable (cherry picked from commit 719785a) # Conflicts: # Cargo.lock # ci/test-checks.sh
* Update http to fix security vulnerability * Ignore RUSTSEC because they incorrectly says http 0.1.21 is vulnerable (cherry picked from commit 719785a) # Conflicts: # Cargo.lock
Problem
The
http
crate has a vulnerability: https://rustsec.org/advisories/RUSTSEC-2019-0033CI: https://buildkite.com/solana-labs/solana/builds/17380#b9016fbc-60c3-4d70-b2df-cde028e642c6
Summary of Changes
http
crate to 0.1.21 to pick up this change: fix capacity overflows in HeaderMap::reserve hyperium/http#360