Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rust function dependencies #1111

Closed
lance opened this issue Jul 13, 2022 · 6 comments · Fixed by #1201
Closed

Update rust function dependencies #1111

lance opened this issue Jul 13, 2022 · 6 comments · Fixed by #1201
Assignees
@vyasgun
Milestone
1.8.0 Release

Comments

@lance
Copy link
Member

lance commented Jul 13, 2022
edited

Dependabot has identified a few issues with the current rust dependencies. These should be updated.

regex

Advisory https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw

Upgrade regex to version 1.5.5 or later. For example:

[dependencies]
regex = "1.5.5"

[dev-dependencies]
regex = "1.5.5"

tokio

Affected versions: < 1.8.4
Patched version: 1.8.4

An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.

Upgrade tokio to version 1.8.4 or later. For example:

[dependencies]
tokio = "1.8.4"

[dev-dependencies]
tokio = "1.8.4"

actix-http

Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.

Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.

Upgrade actix-http to version 2.2.1 or later. For example:

[dependencies]
actix-http = "2.2.1"

[dev-dependencies]
actix-http = "2.2.1"

/assign @vyasgun
@jcrossley3
Copy link
Contributor

/unassign

I don't have the creds to see the security advisories. Feel free to reassign if you want to grant me that access.

@salaboy
Copy link
Member

salaboy commented Jul 21, 2022

@jcrossley3 @lance I am marking this as a first good issue.. any objections?

@lance
Copy link
Member Author

lance commented Jul 21, 2022

@jcrossley3 @lance I am marking this as a first good issue.. any objections?

It's a good first issue if you know Rust 😉 - sure that seems fine.

@lance lance added this to the Release.NEXT milestone Jul 28, 2022
@lance
Copy link
Member Author

lance commented Jul 28, 2022

/assign

@lance
Copy link
Member Author

lance commented Jul 30, 2022

/unassign

@lance
Copy link
Member Author

lance commented Aug 24, 2022

/assign @vyasgun

@lance lance modified the milestones: 0.26.0 Release, 1.0.0 Release Aug 29, 2022
@vyasgun vyasgun mentioned this issue Aug 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vyasgun vyasgun

Labels
None yet
Projects
None yet
Milestone
1.8.0 Release
Development

Successfully merging a pull request may close this issue.

chore: update rust dependencies vyasgun/kn-plugin-func
4 participants
@jcrossley3 @lance @salaboy @vyasgun