Update ring version due to vulnerability problem
rodoufu opened this issue · comments
The actual version of the project is pointing to ring = "0.14.0"
which has a dependency to spin = "0.5.0"
and this version has a vulnerability problem.
https://github.com/jjyr/hdwallet/blob/master/Cargo.toml#L20
It's possible to update the ring to ring = "0.16.9"
which is using the spin = "0.5.2"
https://github.com/briansmith/ring/blob/master/Cargo.toml#L307
error: Vulnerable crates found!
ID: RUSTSEC-2019-0013
Crate: spin
Version: 0.5.0
Date: 2019-08-27
URL: https://github.com/mvdnes/spin-rs/issues/65
Title: Wrong memory orderings in RwLock potentially violates mutual exclusion
Solution: upgrade to: >= 0.5.2