New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update rust function dependencies #1111
Milestone
Comments
/unassign I don't have the creds to see the security advisories. Feel free to reassign if you want to grant me that access. |
@jcrossley3 @lance I am marking this as a first good issue.. any objections? |
It's a good first issue if you know Rust 😉 - sure that seems fine. |
/assign |
/unassign |
/assign @vyasgun |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dependabot has identified a few issues with the current rust dependencies. These should be updated.
regex
Advisory https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
Upgrade regex to version 1.5.5 or later. For example:
tokio
Affected versions: < 1.8.4
Patched version: 1.8.4
An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.
actix-http
Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.
Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.
Upgrade actix-http to version 2.2.1 or later. For example:
/assign @vyasgun
The text was updated successfully, but these errors were encountered: