http
http copied to clipboard
thecoshman
Multiple dependencies with known security vulnerabilities
Running cargo audit on the repository reports 4 known vulnerabilities in the dependency tree:
Crate: brotli-sys
Version: 0.3.2
Title: Integer overflow in the bundled Brotli C library
Date: 2021-12-20
ID: RUSTSEC-2021-0131
URL: https://rustsec.org/advisories/RUSTSEC-2021-0131
Solution: No safe upgrade is available!
Dependency tree:
brotli-sys 0.3.2
└── brotli2 0.3.2
└── https 1.12.2
Crate: hyper
Version: 0.10.16
Title: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date: 2021-07-07
ID: RUSTSEC-2021-0079
URL: https://rustsec.org/advisories/RUSTSEC-2021-0079
Solution: Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
├── rfsapi 0.1.0
│ └── https 1.12.2
├── iron 0.6.1
│ └── https 1.12.2
└── hyper-native-tls 0.3.0
├── iron 0.6.1
└── https 1.12.2
Crate: hyper
Version: 0.10.16
Title: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date: 2021-07-07
ID: RUSTSEC-2021-0078
URL: https://rustsec.org/advisories/RUSTSEC-2021-0078
Solution: Upgrade to >=0.14.10
Crate: time
Version: 0.1.43
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
├── rfsapi 0.1.0
│ └── https 1.12.2
├── hyper 0.10.16
│ ├── rfsapi 0.1.0
│ ├── iron 0.6.1
│ │ └── https 1.12.2
│ └── hyper-native-tls 0.3.0
│ ├── iron 0.6.1
│ └── https 1.12.2
└── https 1.12.2
error: 4 vulnerabilities found!
Hm. The hyper and iron bits are unfixable, I think, without re-writing this in its entirety (iron is dead (the last commit is me updating to hyper-native-tls 0.3), hyper is infinitely different). Pushed the blake thing though, despite it not being triggerable here (we don't encode files bigger than 100MB).
0f7301e99a1520693924b8c0bc02e918d9cace31:
warning: `D:\Users\nabijaczleweli\.cargo\config` is deprecated in favor of `config.toml`
note: if you need to support cargo 1.38 or earlier, you can symlink `config` to `config.toml`
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 627 security advisories (from D:\Users\nabijaczleweli\.cargo\advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (152 crate dependencies)
Crate: hyper
Version: 0.10.16
Title: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date: 2021-07-07
ID: RUSTSEC-2021-0078
URL: https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity: 5.3 (medium)
Solution: Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
|-- rfsapi 0.2.0
\-- https 1.13.2
Crate: hyper
Version: 0.10.16
Title: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date: 2021-07-07
ID: RUSTSEC-2021-0079
URL: https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity: 9.1 (critical)
Solution: Upgrade to >=0.14.10
Crate: hyper
Version: 0.10.16
Title: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date: 2021-07-07
ID: RUSTSEC-2021-0078
URL: https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity: 5.3 (medium)
Solution: Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
|-- iron 0.6.1
| \-- https 1.13.2
|-- hyper-native-tls 0.3.0
\-- iron 0.6.1
\-- https 1.13.2
Crate: hyper
Version: 0.10.16
Title: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date: 2021-07-07
ID: RUSTSEC-2021-0079
URL: https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity: 9.1 (critical)
Solution: Upgrade to >=0.14.10
Crate: time
Version: 0.1.45
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity: 6.2 (medium)
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
|-- rfsapi 0.2.0
| \-- https 1.13.2
|-- hyper 0.10.16
| \-- rfsapi 0.2.0
|-- https 1.13.2
Crate: ansi_term
Version: 0.12.1
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
|-- clap 2.34.0
\-- https 1.13.2
Crate: safemem
Version: 0.3.3
Warning: unmaintained
Title: safemem is unmaintained
Date: 2023-02-14
ID: RUSTSEC-2023-0081
URL: https://rustsec.org/advisories/RUSTSEC-2023-0081
Dependency tree:
safemem 0.3.3
|-- base64 0.9.3
\-- hyper 0.10.16
\-- rfsapi 0.2.0
\-- https 1.13.2
Crate: traitobject
Version: 0.1.0
Warning: unmaintained
Title: traitobject is Unmaintained
Date: 2021-10-04
ID: RUSTSEC-2021-0144
URL: https://rustsec.org/advisories/RUSTSEC-2021-0144
Dependency tree:
traitobject 0.1.0
|-- hyper 0.10.16
\-- rfsapi 0.2.0
\-- https 1.13.2
Crate: atty
Version: 0.2.14
Warning: unsound
Title: Potential unaligned read
Date: 2021-07-04
ID: RUSTSEC-2021-0145
URL: https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
|-- clap 2.34.0
\-- https 1.13.2
Crate: hyper
Version: 0.10.16
Warning: unsound
Title: Parser creates invalid uninitialized value
Date: 2022-05-10
ID: RUSTSEC-2022-0022
URL: https://rustsec.org/advisories/RUSTSEC-2022-0022
Crate: hyper
Version: 0.10.16
Warning: unsound
Title: Parser creates invalid uninitialized value
Date: 2022-05-10
ID: RUSTSEC-2022-0022
URL: https://rustsec.org/advisories/RUSTSEC-2022-0022
Crate: traitobject
Version: 0.1.0
Warning: unsound
Title: traitobject assumes the layout of fat pointers
Date: 2020-06-01
ID: RUSTSEC-2020-0027
URL: https://rustsec.org/advisories/RUSTSEC-2020-0027
Severity: 9.8 (critical)
error: 5 vulnerabilities found!
warning: 7 allowed warnings found
💀