diesel-adapter is dependent on an old version of diesel, which depends on vulnerable versions of libsqlite3-sys
rockstar opened this issue · comments
Paul Hummer commented
cargo deny
now flags diesel-adapter
as contributing a vulnerable libsqlite3-sys
.
= ID: RUSTSEC-2022-0090
= Advisory: https://rustsec.org/advisories/RUSTSEC-2022-0090
= It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's `printf` function.
As `libsqlite3-sys` bundles SQLite, it is susceptible to the vulnerability. `libsqlite3-sys` was updated to bundle the patched version of SQLite [here](https://github.com/rusqlite/rusqlite/releases/tag/sys0.25.1).
= Announcement: https://nvd.nist.gov/vuln/detail/CVE-2022-35737
= Solution: Upgrade to >=0.25.1
= libsqlite3-sys v0.22.2
├── diesel v1.4.8
│ └── diesel-adapter v0.9.0
│ └── watchful-hub v3.0.0
Is diesel-adapter
maintained? The latest version of diesel-adapter
is dependent on a release of diesel
that was released a while ago.
casbin-bot commented