Latest release contains crates with 12 security vulnerabilities
Mic92 opened this issue · comments
cargo audit for v0.1.2
Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 477 security advisories (from /home/joerg/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (141 crate dependencies) Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No fixed upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── nix-index 0.1.2Crate: crossbeam-deque
Version: 0.6.1
Title: Data race in crossbeam-deque
Date: 2021-07-30
ID: RUSTSEC-2021-0093
URL: https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.6.1
└── tokio-threadpool 0.1.6
├── tokio-fs 0.1.3
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
└── tokio 0.1.8
Crate: hyper
Version: 0.11.27
Title: Lenient hyper header parsing of Content-Length could allow request smuggling
Date: 2021-07-07
ID: RUSTSEC-2021-0078
URL: https://rustsec.org/advisories/RUSTSEC-2021-0078
Solution: Upgrade to >=0.14.10
Dependency tree:
hyper 0.11.27
└── nix-index 0.1.2
Crate: hyper
Version: 0.11.27
Title: Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss
Date: 2021-07-07
ID: RUSTSEC-2021-0079
URL: https://rustsec.org/advisories/RUSTSEC-2021-0079
Solution: Upgrade to >=0.14.10
Crate: hyper
Version: 0.11.27
Title: Flaw in hyper allows request smuggling by sending a body in GET requests
Date: 2020-03-19
ID: RUSTSEC-2020-0008
URL: https://rustsec.org/advisories/RUSTSEC-2020-0008
Solution: Upgrade to >=0.12.34
Crate: owning_ref
Version: 0.3.3
Title: Multiple soundness issues in owning_ref
Date: 2022-01-26
ID: RUSTSEC-2022-0040
URL: https://rustsec.org/advisories/RUSTSEC-2022-0040
Solution: No fixed upgrade is available!
Dependency tree:
owning_ref 0.3.3
└── lock_api 0.1.3
└── parking_lot 0.6.4
└── tokio-reactor 0.1.5
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-core 0.1.17
└── tokio 0.1.8
Crate: regex
Version: 1.0.5
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 1.0.5
├── nix-index 0.1.2
└── grep 0.1.9
└── nix-index 0.1.2
Crate: smallvec
Version: 0.6.5
Title: Double-free and use-after-free in SmallVec::grow()
Date: 2019-06-06
ID: RUSTSEC-2019-0009
URL: https://rustsec.org/advisories/RUSTSEC-2019-0009
Solution: Upgrade to >=0.6.10
Dependency tree:
smallvec 0.6.5
└── parking_lot_core 0.3.1
└── parking_lot 0.6.4
└── tokio-reactor 0.1.5
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-core 0.1.17
└── tokio 0.1.8
Crate: smallvec
Version: 0.6.5
Title: Buffer overflow in SmallVec::insert_many
Date: 2021-01-08
ID: RUSTSEC-2021-0003
URL: https://rustsec.org/advisories/RUSTSEC-2021-0003
Solution: Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1
Crate: smallvec
Version: 0.6.5
Title: Memory corruption in SmallVec::grow()
Date: 2019-07-19
ID: RUSTSEC-2019-0012
URL: https://rustsec.org/advisories/RUSTSEC-2019-0012
Solution: Upgrade to >=0.6.10
Crate: thread_local
Version: 0.3.6
Title: Data race in Iter and IterMut
Date: 2022-01-23
ID: RUSTSEC-2022-0006
URL: https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution: Upgrade to >=1.1.4
Dependency tree:
thread_local 0.3.6
└── regex 1.0.5
├── nix-index 0.1.2
└── grep 0.1.9
└── nix-index 0.1.2
Crate: time
Version: 0.1.40
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.40
├── stderr 0.8.0
│ └── nix-index 0.1.2
└── hyper 0.11.27
└── nix-index 0.1.2
Crate: ansi_term
Version: 0.10.2
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.10.2
└── nix-index 0.1.2
Crate: ansi_term
Version: 0.11.0
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.11.0
└── clap 2.32.0
└── nix-index 0.1.2
Crate: net2
Version: 0.2.33
Warning: unmaintained
Title: net2 crate has been deprecated; use socket2 instead
Date: 2020-05-01
ID: RUSTSEC-2020-0016
URL: https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.33
├── tokio-proto 0.1.1
│ └── hyper 0.11.27
│ └── nix-index 0.1.2
├── miow 0.2.1
│ └── mio 0.6.16
│ ├── tokio-uds 0.2.1
│ │ └── tokio 0.1.8
│ │ └── tokio-core 0.1.17
│ │ ├── tokio-retry 0.1.1
│ │ │ └── nix-index 0.1.2
│ │ ├── tokio-proto 0.1.1
│ │ ├── nix-index 0.1.2
│ │ └── hyper 0.11.27
│ ├── tokio-udp 0.1.2
│ │ └── tokio 0.1.8
│ ├── tokio-tcp 0.1.1
│ │ └── tokio 0.1.8
│ ├── tokio-reactor 0.1.5
│ │ ├── tokio-uds 0.2.1
│ │ ├── tokio-udp 0.1.2
│ │ ├── tokio-tcp 0.1.1
│ │ ├── tokio-core 0.1.17
│ │ └── tokio 0.1.8
│ ├── tokio-core 0.1.17
│ ├── tokio 0.1.8
│ └── mio-uds 0.6.7
│ └── tokio-uds 0.2.1
├── mio 0.6.16
└── hyper 0.11.27
Crate: stderr
Version: 0.8.0
Warning: unmaintained
Title: stderr is unmaintained; use eprintln instead
Date: 2020-12-22
ID: RUSTSEC-2020-0109
URL: https://rustsec.org/advisories/RUSTSEC-2020-0109
Dependency tree:
stderr 0.8.0
└── nix-index 0.1.2
Crate: tokio-proto
Version: 0.1.1
Warning: unmaintained
Title: tokio-proto is deprecated/unmaintained
Date: 2020-02-06
ID: RUSTSEC-2020-0162
URL: https://rustsec.org/advisories/RUSTSEC-2020-0162
Dependency tree:
tokio-proto 0.1.1
└── hyper 0.11.27
└── nix-index 0.1.2
Crate: xml-rs
Version: 0.8.0
Warning: unmaintained
Title: xml-rs is Unmaintained
Date: 2022-01-26
ID: RUSTSEC-2022-0048
URL: https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.0
└── nix-index 0.1.2
Crate: miow
Version: 0.2.1
Warning: yanked
Dependency tree:
miow 0.2.1
└── mio 0.6.16
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-reactor 0.1.5
│ ├── tokio-uds 0.2.1
│ ├── tokio-udp 0.1.2
│ ├── tokio-tcp 0.1.1
│ ├── tokio-core 0.1.17
│ └── tokio 0.1.8
├── tokio-core 0.1.17
├── tokio 0.1.8
└── mio-uds 0.6.7
└── tokio-uds 0.2.1
Crate: net2
Version: 0.2.33
Warning: yanked
Crate: smallvec
Version: 0.6.5
Warning: yanked
error: 12 vulnerabilities found!
warning: 9 allowed warnings found
The current master would bring this down to 4 security vulnerabilities
cargo audit for master
Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 477 security advisories (from /home/joerg/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (178 crate dependencies) Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No fixed upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── nix-index 0.1.3Crate: regex
Version: 1.5.4
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 1.5.4
├── nix-index 0.1.3
├── grep-regex 0.1.9
│ └── grep 0.2.8
│ └── nix-index 0.1.3
├── grep-cli 0.1.6
│ └── grep 0.2.8
└── globset 0.4.8
└── grep-cli 0.1.6
Crate: thread_local
Version: 1.1.3
Title: Data race in Iter and IterMut
Date: 2022-01-23
ID: RUSTSEC-2022-0006
URL: https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution: Upgrade to >=1.1.4
Dependency tree:
thread_local 1.1.3
└── grep-regex 0.1.9
└── grep 0.2.8
└── nix-index 0.1.3
Crate: time
Version: 0.1.43
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
└── stderr 0.8.0
└── nix-index 0.1.3
Crate: ansi_term
Version: 0.12.1
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── nix-index 0.1.3
Crate: stderr
Version: 0.8.0
Warning: unmaintained
Title: stderr is unmaintained; use eprintln instead
Date: 2020-12-22
ID: RUSTSEC-2020-0109
URL: https://rustsec.org/advisories/RUSTSEC-2020-0109
Dependency tree:
stderr 0.8.0
└── nix-index 0.1.3
Crate: xml-rs
Version: 0.8.4
Warning: unmaintained
Title: xml-rs is Unmaintained
Date: 2022-01-26
ID: RUSTSEC-2022-0048
URL: https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.4
└── nix-index 0.1.3
Crate: cpufeatures
Version: 0.2.1
Warning: yanked
Dependency tree:
cpufeatures 0.2.1
└── sha-1 0.9.8
└── headers 0.3.5
├── nix-index 0.1.3
└── hyper-proxy 0.9.1
└── nix-index 0.1.3
error: 4 vulnerabilities found!
warning: 4 allowed warnings found
Fixed everything except unmaintained xml-rs and ansi_term. Ansi term is a really small library so moving away from it has low priority. xml-rs is a bit bigger, but it's also a bit more work to migrate to something else. Perhaps we should find a better way to get the package attributes instead, since using nix-env is not optimal anyway (no support for flakes).