Skip to content
security-audit

build: 0.6.2 #581

Sign in to view logs

build: 0.6.2

build: 0.6.2 #581

GitHub Actions / Security audit failed Jun 29, 2023 in 0s

Security advisories found

2 advisory(ies), 4 unmaintained, 1 other

Details

Vulnerabilities

RUSTSEC-2023-0003

git2 does not verify SSH keys by default

Details
Package libgit2-sys
Version 0.14.1+1.5.0
URL GHSA-m4ch-rfv5-x5g3
Date 2023-01-20
Patched versions >=0.13.5, <0.14.0,>=0.14.2

The git2 and libgit2-sys crates are Rust wrappers around the
libgit2 C library. It was discovered that libgit2 1.5.0
and below did not verify SSH host keys when establishing an SSH connection,
exposing users of the library to Man-In-the-Middle attacks.

The libgit2 team assigned CVE-2023-22742 to this
vulnerability. The following versions of the libgit2-sys Rust crate have been
released:

  • libgit2-sys 0.14.2, updating the underlying libgit2 C library to version 1.5.1.
  • libgit2-sys 0.13.5, updating the underlying libgit2 C library to version 1.4.5.

A new git2 crate version has also been released, 0.16.1. This version only
bumps its libgit2-sys dependency to ensure no vulnerable libgit2-sys versions
are used, but contains no code changes: if you update the libgit2-sys version
there is no need to also update the git2 crate version.

You can learn more about this vulnerability in libgit2's advisory

RUSTSEC-2020-0071

Potential segfault in the time crate

Details
Package time
Version 0.1.45
URL time-rs/time#293
Date 2020-11-18
Patched versions >=0.2.23
Unaffected versions =0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

The affected functions from time 0.2.7 through 0.2.22 are:

  • time::UtcOffset::local_offset_at
  • time::UtcOffset::try_local_offset_at
  • time::UtcOffset::current_local_offset
  • time::UtcOffset::try_current_local_offset
  • time::OffsetDateTime::now_local
  • time::OffsetDateTime::try_now_local

The affected functions in time 0.1 (all versions) are:

  • at
  • at_utc
  • now

Non-Unix targets (including Windows and wasm) are unaffected.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.

Workarounds

A possible workaround for crates affected through the transitive dependency in chrono, is to avoid using the default oldtime feature dependency of the chrono crate by disabling its default-features and manually specifying the required features instead.

Examples:

Cargo.toml:

chrono = { version = &quot;0.4&quot;, default-features = false, features = [&quot;serde&quot;] }
chrono = { version = &quot;0.4.22&quot;, default-features = false, features = [&quot;clock&quot;] }

Commandline:

cargo add chrono --no-default-features -F clock

Sources:

Warnings

RUSTSEC-2021-0060

aes-soft has been merged into the aes crate

Details
Status unmaintained
Package aes-soft
Version 0.6.4
URL RustCrypto/block-ciphers#200
Date 2021-04-29

Please use the aes crate going forward. The new repository location is at:

<https://github.com/RustCrypto/block-ciphers/tree/master/aes>

AES-NI is now autodetected at runtime on i686/x86-64 platforms.
If AES-NI is not present, the aes crate will fallback to a constant-time
portable software implementation.

To force the use of a constant-time portable implementation on these platforms,
even if AES-NI is available, use the new force-soft feature of the aes
crate to disable autodetection.

RUSTSEC-2021-0059

aesni has been merged into the aes crate

Details
Status unmaintained
Package aesni
Version 0.10.0
URL RustCrypto/block-ciphers#200
Date 2021-04-29

Please use the aes crate going forward. The new repository location is at:

<https://github.com/RustCrypto/block-ciphers/tree/master/aes>

AES-NI is now autodetected at runtime on i686/x86-64 platforms.
If AES-NI is not present, the aes crate will fallback to a constant-time
portable software implementation.

To prevent this fallback (and have absence of AES-NI result in an illegal
instruction crash instead), continue to pass the same RUSTFLAGS which were
previously required for the aesni crate to compile:

RUSTFLAGS=-Ctarget-feature=+aes,+ssse3

RUSTSEC-2021-0064

cpuid-bool has been renamed to cpufeatures

Details
Status unmaintained
Package cpuid-bool
Version 0.2.0
URL RustCrypto/utils#381
Date 2021-05-06

Please use the `cpufeatures`` crate going forward:

<https://github.com/RustCrypto/utils/tree/master/cpufeatures>

There will be no further releases of cpuid-bool.

RUSTSEC-2020-0056

stdweb is unmaintained

Details
Status unmaintained
Package stdweb
Version 0.4.20
URL koute/stdweb#403
Date 2020-05-04

The author of the stdweb crate is unresponsive.

Maintained alternatives:

View more details on GitHub Actions