tls-parser icon indicating copy to clipboard operation
tls-parser copied to clipboard
verified publisher icon rusticata

0.8.1 specifies deps with known vulnerabilities

Open victorjulien opened this issue 4 years ago • 3 comments

0.8.1 is used by the Suricata 5.0.x stable branch. It was reported to us that there are CVEs assigned to rand_core versions used by this version of tls-parser.

Advisory: https://github.com/rust-random/rand/security/advisories/GHSA-mmc9-pwm7-qj5w

More details https://redmine.openinfosecfoundation.org/issues/4716

victorjulien avatar Sep 29 '21 06:09 victorjulien

tls-parser 0.9.4 is used by Suricata 6. It uses rand_core 0.5.1. I don't know if this is also vulnerable.

victorjulien avatar Sep 29 '21 06:09 victorjulien

@jasonish thinks the used versions may in fact be fine, see the suricata ticket for more details. Would love to hear if you agree.

victorjulien avatar Sep 29 '21 20:09 victorjulien

Hi @victorjulien , I believe the impact is limited: rand and rand_core are not really used by tls-parser, they are only used to generate a static hashmap of known ciphers during build (and are not used at runtime). Nevertheless, I will see for an update.

chifflier avatar Sep 30 '21 08:09 chifflier

@chifflier I think this issue could be closed.

cpu avatar Apr 15 '24 17:04 cpu

Indeed, this issue can be closed since some time now.

chifflier avatar Apr 22 '24 07:04 chifflier