diesel-adapter is dependent on an old version of diesel, which depends on vulnerable versions of libsqlite3-sys

Question

diesel-adapter is dependent on an old version of diesel, which depends on vulnerable versions of libsqlite3-sys

rockstar opened this issue a year ago · comments

cargo deny now flags diesel-adapter as contributing a vulnerable libsqlite3-sys.

= ID: RUSTSEC-2022-0090
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2022-0090
    = It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's `printf` function.
      
      As `libsqlite3-sys` bundles SQLite, it is susceptible to the vulnerability. `libsqlite3-sys` was updated to bundle the patched version of SQLite [here](https://github.com/rusqlite/rusqlite/releases/tag/sys0.25.1).
    = Announcement: https://nvd.nist.gov/vuln/detail/CVE-2022-35737
    = Solution: Upgrade to >=0.25.1
    = libsqlite3-sys v0.22.2
      ├── diesel v1.4.8
      │   └── diesel-adapter v0.9.0
      │       └── watchful-hub v3.0.0

Is diesel-adapter maintained? The latest version of diesel-adapter is dependent on a release of diesel that was released a while ago.

casbin-bot · Answer 1 · Thu Feb 16 2023 05:06:27 GMT+0800 (China Standard Time)

@hackerchai @PsiACE

Yang Luo · Answer 2 · Thu Feb 23 2023 22:08:08 GMT+0800 (China Standard Time)

@rockstar hi, can you make a PR to fix this issue?