Migrate `webpki` dependency to `rustls-webpki` to mitigate RUSTSEC-2023-0052

Question

Migrate `webpki` dependency to `rustls-webpki` to mitigate RUSTSEC-2023-0052

fuchsnj opened this issue a year ago · comments

There is a security advisory for a CPU denial of service in the webpki crate, which is a dependency of bollard.
The webpki crate appears to be unmaintained. The latest version of rustls-webpki contains a fix for this.

Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052.html

Niel Drummond · Answer 1 · Tue Aug 29 2023 02:48:53 GMT+0800 (China Standard Time)

Thanks for the PR #328 let's close this

Dustin Martin · Answer 2 · Tue Aug 29 2023 23:57:18 GMT+0800 (China Standard Time)

Would it be possible to do a patch release that includes this fix?
We can use a git commit in Cargo.toml for now to avoid the security advisory warning, but that feels a little clunky.

Niel Drummond · Answer 3 · Wed Aug 30 2023 03:43:29 GMT+0800 (China Standard Time)

Yes, I can try to schedule a patch release in a couple of weeks when I'm back and have some time.

Dustin Martin · Answer 4 · Wed Aug 30 2023 03:59:25 GMT+0800 (China Standard Time)

Much appreciated, and thank you for all of your hard work on this library!