Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix potentially vulnerable dependencies #60

Open
JulianDroste opened this issue Apr 15, 2023 · 2 comments
Open

Fix potentially vulnerable dependencies #60

JulianDroste opened this issue Apr 15, 2023 · 2 comments

Comments

@JulianDroste
Copy link
Collaborator

I just ran cargo audit on the cargo.toml with the following output:

Crate:     hyper
Version:   0.10.16
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
├── websocket 0.18.0
│   └── discord 0.9.0
│       └── discord_movie_night 0.1.0
├── hyper-native-tls 0.3.0
│   └── discord 0.9.0
└── discord 0.9.0

Crate:     hyper
Version:   0.10.16
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     hyper
Version:   0.12.36
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.12.36
├── reqwest 0.9.24
│   └── tmdb 3.0.0
│       └── discord_movie_night 0.1.0
└── hyper-tls 0.3.2
    └── reqwest 0.9.24

Crate:     hyper
Version:   0.12.36
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     rustc-serialize
Version:   0.3.24
Title:     Stack overflow in rustc_serialize when parsing deeply nested JSON
Date:      2022-01-01
ID:        RUSTSEC-2022-0004
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0004
Solution:  No fixed upgrade is available!
Dependency tree:
rustc-serialize 0.3.24
└── websocket 0.18.0
    └── discord 0.9.0
        └── discord_movie_night 0.1.0

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
├── reqwest 0.9.24
│   └── tmdb 3.0.0
│       └── discord_movie_night 0.1.0
├── hyper 0.12.36
│   ├── reqwest 0.9.24
│   └── hyper-tls 0.3.2
│       └── reqwest 0.9.24
├── hyper 0.10.16
│   ├── websocket 0.18.0
│   │   └── discord 0.9.0
│   │       └── discord_movie_night 0.1.0
│   ├── hyper-native-tls 0.3.0
│   │   └── discord 0.9.0
│   └── discord 0.9.0
├── cookie_store 0.7.0
│   └── reqwest 0.9.24
├── cookie 0.12.0
│   ├── reqwest 0.9.24
│   └── cookie_store 0.7.0
└── chrono 0.4.24
    ├── discord_movie_night 0.1.0
    └── discord 0.9.0

Crate:     tokio
Version:   0.1.22
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree:
tokio 0.1.22
├── reqwest 0.9.24
│   └── tmdb 3.0.0
│       └── discord_movie_night 0.1.0
└── hyper 0.12.36
    ├── reqwest 0.9.24
    └── hyper-tls 0.3.2
        └── reqwest 0.9.24

Crate:     failure
Version:   0.1.8
Warning:   unmaintained
Title:     failure is officially deprecated/unmaintained
Date:      2020-05-02
ID:        RUSTSEC-2020-0036
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0036
Severity:  9.8 (critical)
Dependency tree:
failure 0.1.8
└── cookie_store 0.7.0
    └── reqwest 0.9.24
        └── tmdb 3.0.0
            └── discord_movie_night 0.1.0

Crate:     net2
Version:   0.2.38
Warning:   unmaintained
Title:     `net2` crate has been deprecated; use `socket2` instead
Date:      2020-05-01
ID:        RUSTSEC-2020-0016
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.38
├── websocket 0.18.0
│   └── discord 0.9.0
│       └── discord_movie_night 0.1.0
├── miow 0.2.2
│   └── mio 0.6.23
│       ├── tokio-tcp 0.1.4
│       │   ├── tokio 0.1.22
│       │   │   ├── reqwest 0.9.24
│       │   │   │   └── tmdb 3.0.0
│       │   │   │       └── discord_movie_night 0.1.0
│       │   │   └── hyper 0.12.36
│       │   │       ├── reqwest 0.9.24
│       │   │       └── hyper-tls 0.3.2
│       │   │           └── reqwest 0.9.24
│       │   └── hyper 0.12.36
│       ├── tokio-reactor 0.1.12
│       │   ├── tokio-tcp 0.1.4
│       │   ├── tokio 0.1.22
│       │   └── hyper 0.12.36
│       └── tokio 0.1.22
├── mio 0.6.23
└── hyper 0.12.36

Crate:     sodiumoxide
Version:   0.2.7
Warning:   unmaintained
Title:     sodiumoxide is deprecated
Date:      2021-10-22
ID:        RUSTSEC-2021-0137
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0137
Dependency tree:
sodiumoxide 0.2.7
└── discord 0.9.0
    └── discord_movie_night 0.1.0

Crate:     traitobject
Version:   0.1.0
Warning:   unmaintained
Title:     traitobject is Unmaintained
Date:      2021-10-04
ID:        RUSTSEC-2021-0144
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0144
Dependency tree:
traitobject 0.1.0
└── hyper 0.10.16
    ├── websocket 0.18.0
    │   └── discord 0.9.0
    │       └── discord_movie_night 0.1.0
    ├── hyper-native-tls 0.3.0
    │   └── discord 0.9.0
    └── discord 0.9.0

Crate:     crossbeam-utils
Version:   0.7.2
Warning:   unsound
Title:     Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64
Date:      2022-02-05
ID:        RUSTSEC-2022-0041
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0041
Dependency tree:
crossbeam-utils 0.7.2
├── tokio-timer 0.2.13
│   ├── tokio 0.1.22
│   │   ├── reqwest 0.9.24
│   │   │   └── tmdb 3.0.0
│   │   │       └── discord_movie_night 0.1.0
│   │   └── hyper 0.12.36
│   │       ├── reqwest 0.9.24
│   │       └── hyper-tls 0.3.2
│   │           └── reqwest 0.9.24
│   ├── reqwest 0.9.24
│   └── hyper 0.12.36
├── tokio-threadpool 0.1.18
│   ├── tokio 0.1.22
│   ├── reqwest 0.9.24
│   └── hyper 0.12.36
├── tokio-reactor 0.1.12
│   ├── tokio-tcp 0.1.4
│   │   ├── tokio 0.1.22
│   │   └── hyper 0.12.36
│   ├── tokio 0.1.22
│   └── hyper 0.12.36
├── tokio-executor 0.1.10
│   ├── tokio-timer 0.2.13
│   ├── tokio-threadpool 0.1.18
│   ├── tokio-reactor 0.1.12
│   ├── tokio-current-thread 0.1.7
│   │   └── tokio 0.1.22
│   ├── tokio 0.1.22
│   ├── reqwest 0.9.24
│   └── hyper 0.12.36
├── crossbeam-queue 0.2.3
│   └── tokio-threadpool 0.1.18
├── crossbeam-epoch 0.8.2
│   └── crossbeam-deque 0.7.4
│       └── tokio-threadpool 0.1.18
└── crossbeam-deque 0.7.4

Crate:     failure
Version:   0.1.8
Warning:   unsound
Title:     Type confusion if __private_get_type_id__ is overridden
Date:      2019-11-13
ID:        RUSTSEC-2019-0036
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0036
Severity:  9.8 (critical)

Crate:     hyper
Version:   0.10.16
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     hyper
Version:   0.12.36
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     lock_api
Version:   0.3.4
Warning:   unsound
Title:     Some lock_api lock guard objects can cause data races
Date:      2020-11-08
ID:        RUSTSEC-2020-0070
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0070
Dependency tree:
lock_api 0.3.4
└── parking_lot 0.9.0
    └── tokio-reactor 0.1.12
        ├── tokio-tcp 0.1.4
        │   ├── tokio 0.1.22
        │   │   ├── reqwest 0.9.24
        │   │   │   └── tmdb 3.0.0
        │   │   │       └── discord_movie_night 0.1.0
        │   │   └── hyper 0.12.36
        │   │       ├── reqwest 0.9.24
        │   │       └── hyper-tls 0.3.2
        │   │           └── reqwest 0.9.24
        │   └── hyper 0.12.36
        ├── tokio 0.1.22
        └── hyper 0.12.36

Crate:     traitobject
Version:   0.1.0
Warning:   unsound
Title:     traitobject assumes the layout of fat pointers
Date:      2020-06-01
ID:        RUSTSEC-2020-0027
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0027
Severity:  9.8 (critical)

error: 7 vulnerabilities found!
warning: 10 allowed warnings found

This mainly affects the crates tmdb and discord.
I'll raise isses at those teams as well but I just wanted to let you know.
I can only recommend to regularly check your dependencies via i.e. GH Actions.
@JulianDroste
Copy link
Collaborator Author

Additionally consider running cargo clippy to furthermore improve the code.

@JulianDroste JulianDroste mentioned this issue Apr 15, 2023
Open
@JulianDroste
Copy link
Collaborator Author

related - https://gitlab.com/Cir0X/tmdb-rs/-/issues/5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JulianDroste