Address RUSTSEC-2020-0071 and RUSTSEC-2020-0159
PiotrSikora opened this issue · comments
From #136 (review) (for tracking purposes, in case it won't be fixed by that PR):
IMHO, this change is wrong. The 2 CVEs affecting
chronoare:
- RUSTSEC-2020-0071 - which can be easily fixed by removing
oldtimefeature fromchronodependency.- RUSTSEC-2020-0159 - which doesn't have a clear fix, but it also doesn't affect this project. The CVE is about the unsafe use of
localtime_rsyscall, which isn't exposed inwasm32-*targets, nor used withDateTime<Utc>. Futhermore, thetimecrate didn't solve the underlying issue, but they've hidden calls tolocaltime_rbehind a feature flag, so I don't think it's much better, security-wise. Lastly, I believe thatchronois (or was?) more popular in the Rust ecosystem, so I'd prefer to leave it as a more representative example. I agree that we should fix thecargo-auditwarning, but that's going to be cleaned up with #140... in the meantime, we can excludeRUSTSEC-2020-0159using--ignoreflag.
cc @Swaagie
Thanks for digging into this as well. I'll spend some time on this later today and otherwise tomorrow. I'll do some work to find a solid approach using the chrono crate.
@Swaagie thanks! FWIW, if you want to follow above recomendations (I'm not saying that you have to), then:
RUSTSEC-2020-0071 can be fixed by making this change in Cargo.toml (and regenerating cargo raze artifacts):
-chrono = "0.4"
+chrono = { version = "0.4", default-features = false, features = ["clock", "std"] } RUSTSEC-2020-0159 can be cleaned up in this repo by adding --ignore RUSTSEC-2020-0159 to the cargo audit invocation, but that probably won't silence the warning in the dependent crates. For that we might need #140 (or at least move freestanding .rs files to subdirectories and turn them into proper crates; we can add Envoy in subsequent PRs).