Security vulnerability with `time: v0.1.43`
appetrosyan opened this issue · comments
Aleksandr Petrosyan commented
Hi, we're using ursa in hyperledger iroha, When we ran cargo audit
We found
Crate: time
Version: 0.1.43
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
And cargo tree
showed time
as a direct dependency of ursa
.
hartm commented
I think time is only used for performance benchmarking, so this shouldn't be a security vulnerability for Ursa. But it definitely should be updated, so thanks for pointing this out!