You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Crate: hyper
Version: 0.11.27
Title: Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss
Date: 2021-07-07
ID: RUSTSEC-2021-0079
URL: https://rustsec.org/advisories/RUSTSEC-2021-0079
Solution: Upgrade to >=0.14.10
Crate: hyper
Version: 0.11.27
Title: Flaw in hyper allows request smuggling by sending a body in GET requests
Date: 2020-03-19
ID: RUSTSEC-2020-0008
URL: https://rustsec.org/advisories/RUSTSEC-2020-0008
Solution: Upgrade to >=0.12.34
Crate: regex
Version: 1.0.5
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 1.0.5
├── nix-index 0.1.2
└── grep 0.1.9
└── nix-index 0.1.2
Fixed everything except unmaintained xml-rs and ansi_term. Ansi term is a really small library so moving away from it has low priority. xml-rs is a bit bigger, but it's also a bit more work to migrate to something else. Perhaps we should find a better way to get the package attributes instead, since using nix-env is not optimal anyway (no support for flakes).
cargo audit for v0.1.2
Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 477 security advisories (from /home/joerg/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (141 crate dependencies) Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No fixed upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── nix-index 0.1.2Crate: crossbeam-deque
Version: 0.6.1
Title: Data race in crossbeam-deque
Date: 2021-07-30
ID: RUSTSEC-2021-0093
URL: https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.6.1
└── tokio-threadpool 0.1.6
├── tokio-fs 0.1.3
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
└── tokio 0.1.8
Crate: hyper
Version: 0.11.27
Title: Lenient
hyper
header parsing ofContent-Length
could allow request smugglingDate: 2021-07-07
ID: RUSTSEC-2021-0078
URL: https://rustsec.org/advisories/RUSTSEC-2021-0078
Solution: Upgrade to >=0.14.10
Dependency tree:
hyper 0.11.27
└── nix-index 0.1.2
Crate: hyper
Version: 0.11.27
Title: Integer overflow in
hyper
's parsing of theTransfer-Encoding
header leads to data lossDate: 2021-07-07
ID: RUSTSEC-2021-0079
URL: https://rustsec.org/advisories/RUSTSEC-2021-0079
Solution: Upgrade to >=0.14.10
Crate: hyper
Version: 0.11.27
Title: Flaw in hyper allows request smuggling by sending a body in GET requests
Date: 2020-03-19
ID: RUSTSEC-2020-0008
URL: https://rustsec.org/advisories/RUSTSEC-2020-0008
Solution: Upgrade to >=0.12.34
Crate: owning_ref
Version: 0.3.3
Title: Multiple soundness issues in
owning_ref
Date: 2022-01-26
ID: RUSTSEC-2022-0040
URL: https://rustsec.org/advisories/RUSTSEC-2022-0040
Solution: No fixed upgrade is available!
Dependency tree:
owning_ref 0.3.3
└── lock_api 0.1.3
└── parking_lot 0.6.4
└── tokio-reactor 0.1.5
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-core 0.1.17
└── tokio 0.1.8
Crate: regex
Version: 1.0.5
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 1.0.5
├── nix-index 0.1.2
└── grep 0.1.9
└── nix-index 0.1.2
Crate: smallvec
Version: 0.6.5
Title: Double-free and use-after-free in SmallVec::grow()
Date: 2019-06-06
ID: RUSTSEC-2019-0009
URL: https://rustsec.org/advisories/RUSTSEC-2019-0009
Solution: Upgrade to >=0.6.10
Dependency tree:
smallvec 0.6.5
└── parking_lot_core 0.3.1
└── parking_lot 0.6.4
└── tokio-reactor 0.1.5
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-core 0.1.17
└── tokio 0.1.8
Crate: smallvec
Version: 0.6.5
Title: Buffer overflow in SmallVec::insert_many
Date: 2021-01-08
ID: RUSTSEC-2021-0003
URL: https://rustsec.org/advisories/RUSTSEC-2021-0003
Solution: Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1
Crate: smallvec
Version: 0.6.5
Title: Memory corruption in SmallVec::grow()
Date: 2019-07-19
ID: RUSTSEC-2019-0012
URL: https://rustsec.org/advisories/RUSTSEC-2019-0012
Solution: Upgrade to >=0.6.10
Crate: thread_local
Version: 0.3.6
Title: Data race in
Iter
andIterMut
Date: 2022-01-23
ID: RUSTSEC-2022-0006
URL: https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution: Upgrade to >=1.1.4
Dependency tree:
thread_local 0.3.6
└── regex 1.0.5
├── nix-index 0.1.2
└── grep 0.1.9
└── nix-index 0.1.2
Crate: time
Version: 0.1.40
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.40
├── stderr 0.8.0
│ └── nix-index 0.1.2
└── hyper 0.11.27
└── nix-index 0.1.2
Crate: ansi_term
Version: 0.10.2
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.10.2
└── nix-index 0.1.2
Crate: ansi_term
Version: 0.11.0
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.11.0
└── clap 2.32.0
└── nix-index 0.1.2
Crate: net2
Version: 0.2.33
Warning: unmaintained
Title:
net2
crate has been deprecated; usesocket2
insteadDate: 2020-05-01
ID: RUSTSEC-2020-0016
URL: https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.33
├── tokio-proto 0.1.1
│ └── hyper 0.11.27
│ └── nix-index 0.1.2
├── miow 0.2.1
│ └── mio 0.6.16
│ ├── tokio-uds 0.2.1
│ │ └── tokio 0.1.8
│ │ └── tokio-core 0.1.17
│ │ ├── tokio-retry 0.1.1
│ │ │ └── nix-index 0.1.2
│ │ ├── tokio-proto 0.1.1
│ │ ├── nix-index 0.1.2
│ │ └── hyper 0.11.27
│ ├── tokio-udp 0.1.2
│ │ └── tokio 0.1.8
│ ├── tokio-tcp 0.1.1
│ │ └── tokio 0.1.8
│ ├── tokio-reactor 0.1.5
│ │ ├── tokio-uds 0.2.1
│ │ ├── tokio-udp 0.1.2
│ │ ├── tokio-tcp 0.1.1
│ │ ├── tokio-core 0.1.17
│ │ └── tokio 0.1.8
│ ├── tokio-core 0.1.17
│ ├── tokio 0.1.8
│ └── mio-uds 0.6.7
│ └── tokio-uds 0.2.1
├── mio 0.6.16
└── hyper 0.11.27
Crate: stderr
Version: 0.8.0
Warning: unmaintained
Title: stderr is unmaintained; use eprintln instead
Date: 2020-12-22
ID: RUSTSEC-2020-0109
URL: https://rustsec.org/advisories/RUSTSEC-2020-0109
Dependency tree:
stderr 0.8.0
└── nix-index 0.1.2
Crate: tokio-proto
Version: 0.1.1
Warning: unmaintained
Title:
tokio-proto
is deprecated/unmaintainedDate: 2020-02-06
ID: RUSTSEC-2020-0162
URL: https://rustsec.org/advisories/RUSTSEC-2020-0162
Dependency tree:
tokio-proto 0.1.1
└── hyper 0.11.27
└── nix-index 0.1.2
Crate: xml-rs
Version: 0.8.0
Warning: unmaintained
Title: xml-rs is Unmaintained
Date: 2022-01-26
ID: RUSTSEC-2022-0048
URL: https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.0
└── nix-index 0.1.2
Crate: miow
Version: 0.2.1
Warning: yanked
Dependency tree:
miow 0.2.1
└── mio 0.6.16
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-reactor 0.1.5
│ ├── tokio-uds 0.2.1
│ ├── tokio-udp 0.1.2
│ ├── tokio-tcp 0.1.1
│ ├── tokio-core 0.1.17
│ └── tokio 0.1.8
├── tokio-core 0.1.17
├── tokio 0.1.8
└── mio-uds 0.6.7
└── tokio-uds 0.2.1
Crate: net2
Version: 0.2.33
Warning: yanked
Crate: smallvec
Version: 0.6.5
Warning: yanked
error: 12 vulnerabilities found!
warning: 9 allowed warnings found
The current master would bring this down to 4 security vulnerabilities
cargo audit for master
Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 477 security advisories (from /home/joerg/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (178 crate dependencies) Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No fixed upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── nix-index 0.1.3Crate: regex
Version: 1.5.4
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 1.5.4
├── nix-index 0.1.3
├── grep-regex 0.1.9
│ └── grep 0.2.8
│ └── nix-index 0.1.3
├── grep-cli 0.1.6
│ └── grep 0.2.8
└── globset 0.4.8
└── grep-cli 0.1.6
Crate: thread_local
Version: 1.1.3
Title: Data race in
Iter
andIterMut
Date: 2022-01-23
ID: RUSTSEC-2022-0006
URL: https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution: Upgrade to >=1.1.4
Dependency tree:
thread_local 1.1.3
└── grep-regex 0.1.9
└── grep 0.2.8
└── nix-index 0.1.3
Crate: time
Version: 0.1.43
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
└── stderr 0.8.0
└── nix-index 0.1.3
Crate: ansi_term
Version: 0.12.1
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── nix-index 0.1.3
Crate: stderr
Version: 0.8.0
Warning: unmaintained
Title: stderr is unmaintained; use eprintln instead
Date: 2020-12-22
ID: RUSTSEC-2020-0109
URL: https://rustsec.org/advisories/RUSTSEC-2020-0109
Dependency tree:
stderr 0.8.0
└── nix-index 0.1.3
Crate: xml-rs
Version: 0.8.4
Warning: unmaintained
Title: xml-rs is Unmaintained
Date: 2022-01-26
ID: RUSTSEC-2022-0048
URL: https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.4
└── nix-index 0.1.3
Crate: cpufeatures
Version: 0.2.1
Warning: yanked
Dependency tree:
cpufeatures 0.2.1
└── sha-1 0.9.8
└── headers 0.3.5
├── nix-index 0.1.3
└── hyper-proxy 0.9.1
└── nix-index 0.1.3
error: 4 vulnerabilities found!
warning: 4 allowed warnings found
The text was updated successfully, but these errors were encountered: