link icon indicating copy to clipboard operation
link copied to clipboard
verified publisher icon postrequest

Update dependencies to fix vulnerabilities

Open Nariod opened this issue 3 years ago • 0 comments

Hello,

Running cargo audit against the project raises 3 vulnerabilities from dependencies:

┌──(kali㉿kali)-[~/link]
└─$ cargo audit              
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 461 security advisories (from /home/kali/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (245 crate dependencies)
Crate:     nix
Version:   0.19.1
Title:     Out-of-bounds write in nix::unistd::getgrouplist
Date:      2021-09-27
ID:        RUSTSEC-2021-0119
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution:  Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.19.1
└── rustyline 7.1.0
    └── link 0.1.0

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.22
    └── link 0.1.0

Crate:     tokio
Version:   0.2.25
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree:
tokio 0.2.25
├── trust-dns-resolver 0.19.7
│   └── actix-connect 2.0.0
│       └── actix-http 2.2.2
│           ├── awc 2.0.3
│           │   └── actix-web 3.3.3
│           │       └── link 0.1.0
│           └── actix-web 3.3.3
├── trust-dns-proto 0.19.7
│   ├── trust-dns-resolver 0.19.7
│   └── actix-connect 2.0.0
├── tokio-util 0.3.1
│   ├── h2 0.2.7
│   │   └── actix-http 2.2.2
│   └── actix-codec 0.3.0
│       ├── awc 2.0.3
│       ├── actix-web 3.3.3
│       ├── actix-utils 2.0.0
│       │   ├── actix-web 3.3.3
│       │   ├── actix-tls 2.0.0
│       │   │   ├── actix-web 3.3.3
│       │   │   └── actix-http 2.2.2
│       │   ├── actix-server 1.0.4
│       │   │   ├── actix-web 3.3.3
│       │   │   └── actix-testing 1.0.1
│       │   │       └── actix-web 3.3.3
│       │   ├── actix-http 2.2.2
│       │   └── actix-connect 2.0.0
│       ├── actix-tls 2.0.0
│       ├── actix-server 1.0.4
│       ├── actix-http 2.2.2
│       └── actix-connect 2.0.0
├── tokio-openssl 0.4.0
│   ├── actix-tls 2.0.0
│   └── actix-connect 2.0.0
├── h2 0.2.7
├── actix-rt 1.1.1
│   ├── awc 2.0.3
│   ├── actix-web 3.3.3
│   ├── actix-utils 2.0.0
│   ├── actix-testing 1.0.1
│   ├── actix-server 1.0.4
│   ├── actix-http 2.2.2
│   └── actix-connect 2.0.0
└── actix-codec 0.3.0

Crate:     net2
Version:   0.2.37
Warning:   unmaintained
Title:     `net2` crate has been deprecated; use `socket2` instead
Date:      2020-05-01
ID:        RUSTSEC-2020-0016
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.37
├── miow 0.2.2
│   └── mio 0.6.23
│       ├── tokio 0.2.25
│       │   ├── trust-dns-resolver 0.19.7
│       │   │   └── actix-connect 2.0.0
│       │   │       └── actix-http 2.2.2
│       │   │           ├── awc 2.0.3
│       │   │           │   └── actix-web 3.3.3
│       │   │           │       └── link 0.1.0
│       │   │           └── actix-web 3.3.3
│       │   ├── trust-dns-proto 0.19.7
│       │   │   ├── trust-dns-resolver 0.19.7
│       │   │   └── actix-connect 2.0.0
│       │   ├── tokio-util 0.3.1
│       │   │   ├── h2 0.2.7
│       │   │   │   └── actix-http 2.2.2
│       │   │   └── actix-codec 0.3.0
│       │   │       ├── awc 2.0.3
│       │   │       ├── actix-web 3.3.3
│       │   │       ├── actix-utils 2.0.0
│       │   │       │   ├── actix-web 3.3.3
│       │   │       │   ├── actix-tls 2.0.0
│       │   │       │   │   ├── actix-web 3.3.3
│       │   │       │   │   └── actix-http 2.2.2
│       │   │       │   ├── actix-server 1.0.4
│       │   │       │   │   ├── actix-web 3.3.3
│       │   │       │   │   └── actix-testing 1.0.1
│       │   │       │   │       └── actix-web 3.3.3
│       │   │       │   ├── actix-http 2.2.2
│       │   │       │   └── actix-connect 2.0.0
│       │   │       ├── actix-tls 2.0.0
│       │   │       ├── actix-server 1.0.4
│       │   │       ├── actix-http 2.2.2
│       │   │       └── actix-connect 2.0.0
│       │   ├── tokio-openssl 0.4.0
│       │   │   ├── actix-tls 2.0.0
│       │   │   └── actix-connect 2.0.0
│       │   ├── h2 0.2.7
│       │   ├── actix-rt 1.1.1
│       │   │   ├── awc 2.0.3
│       │   │   ├── actix-web 3.3.3
│       │   │   ├── actix-utils 2.0.0
│       │   │   ├── actix-testing 1.0.1
│       │   │   ├── actix-server 1.0.4
│       │   │   ├── actix-http 2.2.2
│       │   │   └── actix-connect 2.0.0
│       │   └── actix-codec 0.3.0
│       ├── mio-uds 0.6.8
│       │   ├── tokio 0.2.25
│       │   └── actix-server 1.0.4
│       └── actix-server 1.0.4
└── mio 0.6.23

Crate:     stdweb
Version:   0.4.20
Warning:   unmaintained
Title:     stdweb is unmaintained
Date:      2020-05-04
ID:        RUSTSEC-2020-0056
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27
    ├── cookie 0.14.4
    │   └── actix-http 2.2.2
    │       ├── awc 2.0.3
    │       │   └── actix-web 3.3.3
    │       │       └── link 0.1.0
    │       └── actix-web 3.3.3
    ├── actix-web 3.3.3
    └── actix-http 2.2.2

Crate:     term
Version:   0.5.2
Warning:   unmaintained
Title:     term is looking for a new maintainer
Date:      2018-11-19
ID:        RUSTSEC-2018-0015
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.5.2
└── prettytable-rs 0.8.0
    └── link 0.1.0

Crate:     link
Version:   0.1.0
Warning:   yanked
Dependency tree:
link 0.1.0

error: 3 vulnerabilities found!
warning: 4 allowed warnings found

BR, Nariod

Nariod avatar Oct 16 '22 19:10 Nariod