build: 0.6.2 #581
Security advisories found
2 advisory(ies), 4 unmaintained, 1 other
Details
Vulnerabilities
RUSTSEC-2023-0003
git2 does not verify SSH keys by default
Details | |
---|---|
Package | libgit2-sys |
Version | 0.14.1+1.5.0 |
URL | GHSA-m4ch-rfv5-x5g3 |
Date | 2023-01-20 |
Patched versions | >=0.13.5, <0.14.0,>=0.14.2 |
The git2 and libgit2-sys crates are Rust wrappers around the
libgit2 C library. It was discovered that libgit2 1.5.0
and below did not verify SSH host keys when establishing an SSH connection,
exposing users of the library to Man-In-the-Middle attacks.
The libgit2 team assigned CVE-2023-22742 to this
vulnerability. The following versions of the libgit2-sys Rust crate have been
released:
- libgit2-sys 0.14.2, updating the underlying libgit2 C library to version 1.5.1.
- libgit2-sys 0.13.5, updating the underlying libgit2 C library to version 1.4.5.
A new git2 crate version has also been released, 0.16.1. This version only
bumps its libgit2-sys dependency to ensure no vulnerable libgit2-sys versions
are used, but contains no code changes: if you update the libgit2-sys version
there is no need to also update the git2 crate version.
You can learn more about this vulnerability in libgit2's advisory
RUSTSEC-2020-0071
Potential segfault in the time crate
Details | |
---|---|
Package | time |
Version | 0.1.45 |
URL | time-rs/time#293 |
Date | 2020-11-18 |
Patched versions | >=0.2.23 |
Unaffected versions | =0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6 |
Impact
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
The affected functions from time 0.2.7 through 0.2.22 are:
time::UtcOffset::local_offset_at
time::UtcOffset::try_local_offset_at
time::UtcOffset::current_local_offset
time::UtcOffset::try_current_local_offset
time::OffsetDateTime::now_local
time::OffsetDateTime::try_now_local
The affected functions in time 0.1 (all versions) are:
at
at_utc
now
Non-Unix targets (including Windows and wasm) are unaffected.
Patches
Pending a proper fix, the internal method that determines the local offset has been modified to always return None
on the affected operating systems. This has the effect of returning an Err
on the try_*
methods and UTC
on the non-try_*
methods.
Users and library authors with time in their dependency tree should perform cargo update
, which will pull in the updated, unaffected code.
Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.
Workarounds
A possible workaround for crates affected through the transitive dependency in chrono
, is to avoid using the default oldtime
feature dependency of the chrono
crate by disabling its default-features
and manually specifying the required features instead.
Examples:
Cargo.toml
:
chrono = { version = "0.4", default-features = false, features = ["serde"] }
chrono = { version = "0.4.22", default-features = false, features = ["clock"] }
Commandline:
cargo add chrono --no-default-features -F clock
Sources:
Warnings
RUSTSEC-2021-0060
aes-soft
has been merged into theaes
crate
Details | |
---|---|
Status | unmaintained |
Package | aes-soft |
Version | 0.6.4 |
URL | RustCrypto/block-ciphers#200 |
Date | 2021-04-29 |
Please use the aes
crate going forward. The new repository location is at:
<https://github.com/RustCrypto/block-ciphers/tree/master/aes>
AES-NI is now autodetected at runtime on i686
/x86-64
platforms.
If AES-NI is not present, the aes
crate will fallback to a constant-time
portable software implementation.
To force the use of a constant-time portable implementation on these platforms,
even if AES-NI is available, use the new force-soft
feature of the aes
crate to disable autodetection.
RUSTSEC-2021-0059
aesni
has been merged into theaes
crate
Details | |
---|---|
Status | unmaintained |
Package | aesni |
Version | 0.10.0 |
URL | RustCrypto/block-ciphers#200 |
Date | 2021-04-29 |
Please use the aes
crate going forward. The new repository location is at:
<https://github.com/RustCrypto/block-ciphers/tree/master/aes>
AES-NI is now autodetected at runtime on i686
/x86-64
platforms.
If AES-NI is not present, the aes
crate will fallback to a constant-time
portable software implementation.
To prevent this fallback (and have absence of AES-NI result in an illegal
instruction crash instead), continue to pass the same RUSTFLAGS which were
previously required for the aesni
crate to compile:
RUSTFLAGS=-Ctarget-feature=+aes,+ssse3
RUSTSEC-2021-0064
cpuid-bool
has been renamed tocpufeatures
Details | |
---|---|
Status | unmaintained |
Package | cpuid-bool |
Version | 0.2.0 |
URL | RustCrypto/utils#381 |
Date | 2021-05-06 |
Please use the `cpufeatures`` crate going forward:
<https://github.com/RustCrypto/utils/tree/master/cpufeatures>
There will be no further releases of cpuid-bool
.
RUSTSEC-2020-0056
stdweb is unmaintained
Details | |
---|---|
Status | unmaintained |
Package | stdweb |
Version | 0.4.20 |
URL | koute/stdweb#403 |
Date | 2020-05-04 |
The author of the stdweb
crate is unresponsive.
Maintained alternatives: