Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: updated vulnarable libs #2388

Merged
merged 1 commit into from
Apr 30, 2024
Merged

fix: updated vulnarable libs #2388

merged 1 commit into from
Apr 30, 2024

Conversation

Dmitry-Borodin
Copy link
Contributor

@Dmitry-Borodin Dmitry-Borodin commented Apr 29, 2024
edited
Loading

Those were vulnarable due to cargo-deny check: rustls and h2

Note - those added and removed - transitive dependencies

Errors fixed:

rror[vulnerability]: Degradation of service in h2 servers with CONTINUATION Flood
    ┌─ /github/workspace/rust/Cargo.lock:148:1
    │
148 │ h2 0.3.24 registry+https://github.com/rust-lang/crates.io-index
    │ --------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2024-0332
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0332
    = An attacker can send a flood of CONTINUATION frames, causing `h2` to process them indefinitely.
      This results in an increase in CPU usage.
      
      Tokio task budget helps prevent this from a complete denial-of-service, as the server can still
      respond to legitimate requests, albeit with increased latency.
      
      More details at "[https://seanmonstar.com/blog/hyper-http2-continuation-flood/.](https://seanmonstar.com/blog/hyper-http2-continuation-flood/)
      
      Patches available for 0.4.x and 0.3.x versions.
    = Solution: Upgrade to ^0.3.26 OR >=0.4.4 (try `cargo update -p h2`)
    = h2 v0.3.24
      └── hyper v0.14.20
          ├── hyper-rustls v0.24.1
          │   └── jsonrpsee-http-client v0.16.3
          │       └── jsonrpsee v0.16.3
          │           └── subxt-codegen v0.27.1
          │               └── subxt-macro v0.27.1
          │                   └── subxt v0.27.1
          │                       └── (dev) parser v0.1.0
          │                           ├── (dev) navigator v0.1.0
          │                           │   └── signer v0.1.0
          │                           ├── signer v0.1.0 (*)
          │                           └── transaction_parsing v0.1.0
          │                               ├── navigator v0.1.0 (*)
          │                               ├── qr_reader_phone v0.1.0
          │                               │   ├── qr_reader_pc v0.2.0
          │                               │   └── signer v0.1.0 (*)
          │                               ├── signer v0.1.0 (*)
          │                               └── (dev) transaction_signing v0.1.0
          │                                   ├── navigator v0.1.0 (*)
          │                                   └── signer v0.1.0 (*)
          ├── jsonrpsee-core v0.16.3
          │   ├── jsonrpsee v0.16.3 (*)
          │   ├── jsonrpsee-client-transport v0.16.3
          │   │   └── jsonrpsee v0.16.3 (*)
          │   └── jsonrpsee-http-client v0.16.3 (*)
          └── jsonrpsee-http-client v0.16.3 (*)

 error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input
    ┌─ /github/workspace/rust/Cargo.lock:322:1
    │
322 │ rustls 0.21.6 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2024-0336
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336
    = If a `close_notify` alert is received during a handshake, `complete_io`
      does not terminate.
      
      Callers which do not call `complete_io` are not affected.
      
      `rustls-tokio` and `rustls-ffi` do not call `complete_io`
      and are not affected.
      
      `rustls::Stream` and `rustls::StreamOwned` types use
      `complete_io` and are affected.
    = Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
    = Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`)
    = rustls v0.21.6
      ├── hyper-rustls v0.24.1
      │   └── jsonrpsee-http-client v0.16.3
      │       └── jsonrpsee v0.16.3
      │           └── subxt-codegen v0.27.1
      │               └── subxt-macro v0.27.1
      │                   └── subxt v0.27.1
      │                       └── (dev) parser v0.1.0
      │                           ├── (dev) navigator v0.1.0
      │                           │   └── signer v0.1.0
      │                           ├── signer v0.1.0 (*)
      │                           └── transaction_parsing v0.1.0
      │                               ├── navigator v0.1.0 (*)
      │                               ├── qr_reader_phone v0.1.0
      │                               │   ├── qr_reader_pc v0.2.0
      │                               │   └── signer v0.1.0 (*)
      │                               ├── signer v0.1.0 (*)
      │                               └── (dev) transaction_signing v0.1.0
      │                                   ├── navigator v0.1.0 (*)
      │                                   └── signer v0.1.0 (*)
      └── tokio-rustls v0.24.1
          ├── hyper-rustls v0.24.1 (*)
          ├── jsonrpsee-client-transport v0.16.3
          │   └── jsonrpsee v0.16.3 (*)
          └── jsonrpsee-client-transport v0.20.3
              └── jsonrpsee-ws-client v0.20.3
                  └── jsonrpsee v0.20.3
                      └── generate_message v0.1.0
                          └── (build) signer v0.1.0 (*)

@Dmitry-Borodin
fix: updated vulnarable libs
af0dcb0 
Those were vulnarable due to cargo-deny check: rustls and h2
@Dmitry-Borodin Dmitry-Borodin mentioned this pull request Apr 29, 2024
Closed
@Dmitry-Borodin Dmitry-Borodin marked this pull request as ready for review April 29, 2024 16:55
@krodak krodak merged commit e5664eb into master Apr 30, 2024
13 checks passed
@krodak krodak deleted the dm-rust-libs-upd2 branch April 30, 2024 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krodak krodak krodak approved these changes

@prybalko prybalko Awaiting requested review from prybalko

Assignees
No one assigned
Labels
backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Dmitry-Borodin @krodak