Update rust crate lru

[mreynolds389]

Issue Description

A CVE was discovered in the Rust create lru that 389-ds-base was using.

CVE-2021-45720 389-ds-base: bundled lru: Use after free in lru crate

https://bugzilla.redhat.com/show_bug.cgi?id=2044430

[vashirov]

I'm doing builds for EPEL8 and I ran into problems with concread and lru crates:
>=concread-0.2.21 requires rust-1.56+ which is not available in el8.5 (will be in el8.6).
concread-0.2.20 has a dependency on the vulnerable version of lru.

So we either have a broken build or a vulnerable one.

I have a silly patch that changes edition in Cargo.toml for concread to 2018 and updates checksums. But I'm open to other suggestions.

[mreynolds389]

I'm doing builds for EPEL8 and I ran into problems with concread and lru crates: >=concread-0.2.21 requires rust-1.56+ which is not available in el8.5 (will be in el8.6). concread-0.2.20 has a dependency on the vulnerable version of lru.

So we either have a broken build or a vulnerable one.

We have to leave it vulnerable in EPEL I suspect, as it needs to be fixed in Fedora where the original CVE was found.

I have a silly patch that changes edition in Cargo.toml for concread to 2018 and updates checksums. But I'm open to other suggestions.

Not sure what else we can do besides wait for el8.6 (or el9?). I did see that we had pinned the version to 0.2.20, but I thought that was for RHEL, not EPEL. What is this patch you have, can we see it?

[vashirov]

Here's the patch: https://src.fedoraproject.org/rpms/389-ds-base/blob/stable/f/concread-use-2018-edition.patch
I'm fighting with MBS currently, there is a build in progress: https://release-engineering.github.io/mbs-ui/module/13724 So hopefully we can release a fixed version in EPEL.