Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY: please cut new release (actix-tls) #489

Closed
tessus opened this issue Aug 28, 2023 · 4 comments
Closed

SECURITY: please cut new release (actix-tls) #489

tessus opened this issue Aug 28, 2023 · 4 comments

Comments

@tessus
Copy link

tessus commented Aug 28, 2023

Is it possible to create a new release?

The current release of actix-tls uses a webpki-roots version that still uses the vulnerable unmaintained webpki crate instaed of rustls-webpki.
@tessus tessus mentioned this issue Aug 28, 2023
Closed
@robjtede
Copy link
Member

robjtede commented Aug 28, 2023
edited

actix-tls release was cut a few days ago https://github.com/actix/actix-net/releases/tag/tls-v3.1.0

Actix Web component of this work is ongoing.

@tessus
Copy link
Author

tessus commented Aug 28, 2023

Oh, sorry, I missed that one.

@tessus
Copy link
Author

tessus commented Aug 29, 2023
edited

Oh no. something is still off:

├── actix-files v0.6.2
│   ├── actix-http v3.3.1
│   │   ├── actix-codec v0.5.1
│   │   │   ├── bitflags v1.3.2
│   │   │   ├── bytes v1.4.0
│   │   │   ├── futures-core v0.3.28
│   │   │   ├── futures-sink v0.3.28
│   │   │   ├── memchr v2.5.0
│   │   │   ├── pin-project-lite v0.2.13
│   │   │   ├── tokio v1.32.0
│   │   │   │   ├── bytes v1.4.0
│   │   │   │   ├── libc v0.2.147
│   │   │   │   ├── mio v0.8.8
│   │   │   │   │   ├── libc v0.2.147
│   │   │   │   │   └── log v0.4.20
│   │   │   │   ├── parking_lot v0.12.1
│   │   │   │   │   ├── lock_api v0.4.10
│   │   │   │   │   │   └── scopeguard v1.2.0
│   │   │   │   │   │   [build-dependencies]
│   │   │   │   │   │   └── autocfg v1.1.0
│   │   │   │   │   └── parking_lot_core v0.9.8
│   │   │   │   │       ├── cfg-if v1.0.0
│   │   │   │   │       ├── libc v0.2.147
│   │   │   │   │       └── smallvec v1.11.0
│   │   │   │   ├── pin-project-lite v0.2.13
│   │   │   │   ├── signal-hook-registry v1.4.1
│   │   │   │   │   └── libc v0.2.147
│   │   │   │   └── socket2 v0.5.3
│   │   │   │       └── libc v0.2.147
│   │   │   ├── tokio-util v0.7.8
│   │   │   │   ├── bytes v1.4.0
│   │   │   │   ├── futures-core v0.3.28
│   │   │   │   ├── futures-sink v0.3.28
│   │   │   │   ├── pin-project-lite v0.2.13
│   │   │   │   ├── tokio v1.32.0 (*)
│   │   │   │   └── tracing v0.1.37
│   │   │   │       ├── cfg-if v1.0.0
│   │   │   │       ├── log v0.4.20
│   │   │   │       ├── pin-project-lite v0.2.13
│   │   │   │       └── tracing-core v0.1.31
│   │   │   │           └── once_cell v1.18.0
│   │   │   └── tracing v0.1.37 (*)
│   │   ├── actix-rt v2.9.0
│   │   │   ├── actix-macros v0.2.4 (proc-macro)
│   │   │   │   ├── quote v1.0.33
│   │   │   │   │   └── proc-macro2 v1.0.66
│   │   │   │   │       └── unicode-ident v1.0.11
│   │   │   │   └── syn v2.0.29
│   │   │   │       ├── proc-macro2 v1.0.66 (*)
│   │   │   │       ├── quote v1.0.33 (*)
│   │   │   │       └── unicode-ident v1.0.11
│   │   │   ├── futures-core v0.3.28
│   │   │   └── tokio v1.32.0 (*)
│   │   ├── actix-service v2.0.2
│   │   │   ├── futures-core v0.3.28
│   │   │   ├── paste v1.0.14 (proc-macro)
│   │   │   └── pin-project-lite v0.2.13
│   │   ├── actix-tls v3.1.0
│   │   │   ├── actix-rt v2.9.0 (*)
│   │   │   ├── actix-service v2.0.2 (*)
│   │   │   ├── actix-utils v3.0.1
│   │   │   │   ├── local-waker v0.1.3
│   │   │   │   └── pin-project-lite v0.2.13
│   │   │   ├── futures-core v0.3.28
│   │   │   ├── http v0.2.9
│   │   │   │   ├── bytes v1.4.0
│   │   │   │   ├── fnv v1.0.7
│   │   │   │   └── itoa v1.0.9
│   │   │   ├── impl-more v0.1.6
│   │   │   ├── pin-project-lite v0.2.13
│   │   │   ├── tokio v1.32.0 (*)
│   │   │   ├── tokio-rustls v0.23.4
│   │   │   │   ├── rustls v0.20.8
│   │   │   │   │   ├── log v0.4.20
│   │   │   │   │   ├── ring v0.16.20
│   │   │   │   │   │   ├── spin v0.5.2
│   │   │   │   │   │   └── untrusted v0.7.1
│   │   │   │   │   │   [build-dependencies]
│   │   │   │   │   │   └── cc v1.0.83
│   │   │   │   │   │       ├── jobserver v0.1.26
│   │   │   │   │   │       │   └── libc v0.2.147
│   │   │   │   │   │       └── libc v0.2.147
│   │   │   │   │   ├── sct v0.7.0
│   │   │   │   │   │   ├── ring v0.16.20 (*)
│   │   │   │   │   │   └── untrusted v0.7.1
│   │   │   │   │   └── webpki v0.22.0
│   │   │   │   │       ├── ring v0.16.20 (*)
│   │   │   │   │       └── untrusted v0.7.1
│   │   │   │   ├── tokio v1.32.0 (*)
│   │   │   │   └── webpki v0.22.0 (*)
│   │   │   ├── tokio-util v0.7.8 (*)
│   │   │   ├── tracing v0.1.37 (*)
│   │   │   └── webpki-roots v0.22.6
│   │   │       └── webpki v0.22.0 (*)

As you can see actix-tls v3.1.0 uses an old version of tokio-rustls, which uses a version of rusttls that uses the unmaintained webpki.

Thus after actix-tls has been updated to use the latest version of tokio-rustls, the actix crates actix-files and actix-http also need to be updated to use the new actix-tls which then uses the proper tokio-rustls that uess a version of rustls that uses rustls-webpki.

Man, this is a dependency hell.

@robjtede
Copy link
Member

robjtede commented Aug 29, 2023
edited

All relevant crates now have a rustls-0_21 feature flag that needs to be enabled instead. All this work was done in a non-breaking way so small code changes are necessary to remove the old Rustls/webpki from your dep tree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tessus @robjtede