Address RUSTSEC-2020-0071 and RUSTSEC-2020-0159
PiotrSikora opened this issue · comments
From #136 (review) (for tracking purposes, in case it won't be fixed by that PR):
IMHO, this change is wrong. The 2 CVEs affecting
chrono
are:
- RUSTSEC-2020-0071 - which can be easily fixed by removing
oldtime
feature fromchrono
dependency.- RUSTSEC-2020-0159 - which doesn't have a clear fix, but it also doesn't affect this project. The CVE is about the unsafe use of
localtime_r
syscall, which isn't exposed inwasm32-*
targets, nor used withDateTime<Utc>
. Futhermore, thetime
crate didn't solve the underlying issue, but they've hidden calls tolocaltime_r
behind a feature flag, so I don't think it's much better, security-wise. Lastly, I believe thatchrono
is (or was?) more popular in the Rust ecosystem, so I'd prefer to leave it as a more representative example. I agree that we should fix thecargo-audit
warning, but that's going to be cleaned up with #140... in the meantime, we can excludeRUSTSEC-2020-0159
using--ignore
flag.
cc @Swaagie
Thanks for digging into this as well. I'll spend some time on this later today and otherwise tomorrow. I'll do some work to find a solid approach using the chrono
crate.
@Swaagie thanks! FWIW, if you want to follow above recomendations (I'm not saying that you have to), then:
RUSTSEC-2020-0071 can be fixed by making this change in Cargo.toml
(and regenerating cargo raze
artifacts):
-chrono = "0.4"
+chrono = { version = "0.4", default-features = false, features = ["clock", "std"] }
RUSTSEC-2020-0159 can be cleaned up in this repo by adding --ignore RUSTSEC-2020-0159
to the cargo audit
invocation, but that probably won't silence the warning in the dependent crates. For that we might need #140 (or at least move freestanding .rs
files to subdirectories and turn them into proper crates; we can add Envoy in subsequent PRs).