RUSTSEC-2020-0146: arr! macro erases lifetimes
github-actions opened this issue · comments
arr! macro erases lifetimes
| Details | |
|---|---|
| Package | generic-array |
| Version | 0.12.3 |
| URL | fizyk20/generic-array#98 |
| Date | 2020-04-09 |
| Patched versions | >=0.14.0 |
| Unaffected versions | <0.8.0 |
Affected versions of this crate allowed unsoundly extending
lifetimes using arr! macro. This may result in a variety of
memory corruption scenarios, most likely use-after-free.
See advisory page for additional details.
tera depends on pest_meta which depends on sha-1:0.8 which depends on block-buffer:0.7.3 and digest:0.8.1 which depends on the old version of generic-array.
pest team fixed it, but doesn't release yet:
pest-parser/pest@4fcdcfb