You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This crate depends on chrono 0.4 which pulls in time 0.1 which is vulnerable to RUSTSEC-2020-0071 / CVE-2020-26235.
There seems to be no fix for chrono released yet, and the fix is not trivial.
Crate: time
Version: 0.1.43
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
└── chrono 0.4.19
├── dtparse 1.2.0
│ └── fclones 0.26.0
└── chrono-tz 0.5.3
└── dtparse 1.2.0
Because this crate's responsibility is mostly parsing, and I guess it doesn't use most of chrono's features, can you make it compatible with other time formats so chrono or time 0.1 are not needed? E.g. parsing a string into SystemTime or OffsetDateTime. That could be enabled by a feature flag + optional dendencies.
The text was updated successfully, but these errors were encountered:
pkolaczk
changed the title
Upgrade time crate to 0.3
Upgrade time crate to 0.3 (CVE-2020-26235)
Jul 24, 2022
SystemTime can only be created via SystemTime::now(), so it's not possible to parse strings into SystemTime.
The proper fix seems to be removing chrono entirely in favor of parsing in terms of PrimitiveDateTime/UtcOffset from the time crate, and releasing that as a major semver upgrade. Will take a look when I can, pull requests always appreciated.
Seems like chrono is publishing an updated crate with fixes as part of 0.4.20. Given a dependency on chrono 0.4 as a minor release, the patch will get picked up.
I'm not opposed to pull requests that move to time directly, but I'm fine to simply pick up the upstream fixes.
This crate depends on
chrono
0.4 which pulls intime 0.1
which is vulnerable to RUSTSEC-2020-0071 / CVE-2020-26235.There seems to be no fix for chrono released yet, and the fix is not trivial.
Because this crate's responsibility is mostly parsing, and I guess it doesn't use most of chrono's features, can you make it compatible with other time formats so
chrono
ortime 0.1
are not needed? E.g. parsing a string intoSystemTime
orOffsetDateTime
. That could be enabled by a feature flag + optional dendencies.The text was updated successfully, but these errors were encountered: