Skip to content
Master

Merge pull request #53 from dsietz/development #12

Sign in to view logs

Merge pull request #53 from dsietz/development

Merge pull request #53 from dsietz/development #12

This check has been archived and is scheduled for deletion. Learn more about checks retention
GitHub Actions / Security audit failed Sep 17, 2023 in 1s

Security advisories found

2 advisory(ies), 3 unmaintained, 2 other

Details

Vulnerabilities

RUSTSEC-2023-0034

Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)

Details
Package h2
Version 0.2.7
URL hyperium/hyper#2877
Date 2023-04-14
Patched versions >=0.3.17

If an attacker is able to flood the network with pairs of HEADERS/RST_STREAM frames, such that the h2 application is not able to accept them faster than the bytes are received, the pending accept queue can grow in memory usage. Being able to do this consistently can result in excessive memory use, and eventually trigger Out Of Memory.

This flaw is corrected in hyperium/h2#668, which restricts remote reset stream count by default.

RUSTSEC-2021-0124

Data race when sending and receiving after closing a oneshot channel

Details
Package tokio
Version 0.2.25
URL tokio-rs/tokio#4225
Date 2021-11-16
Patched versions >=1.8.4, <1.9.0,>=1.13.1
Unaffected versions <0.1.14

If a tokio::sync::oneshot channel is closed (via the
oneshot::Receiver::close method), a data race may occur if the
oneshot::Sender::send method is called while the corresponding
oneshot::Receiver is awaited or calling try_recv.

When these methods are called concurrently on a closed channel, the two halves
of the channel can concurrently access a shared memory location, resulting in a
data race. This has been observed to cause memory corruption.

Note that the race only occurs when both halves of the channel are used
after the Receiver half has called close. Code where close is not used, or where the
Receiver is not awaited and try_recv is not called after calling close,
is not affected.

See tokio#4225 for more details.

Warnings

RUSTSEC-2022-0081

json is unmaintained

Details
Status unmaintained
Package json
Version 0.12.4
URL maciejhirsz/json-rust#205
Date 2022-02-01

Last release was almost 3 years ago.

The maintainer is unresponsive with outstanding issues.

One of the outstanding issues include a possible soundness issue.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

RUSTSEC-2020-0016

net2 crate has been deprecated; use socket2 instead

Details
Status unmaintained
Package net2
Version 0.2.39
URL deprecrated/net2-rs@3350e38
Date 2020-05-01

The net2 crate has been deprecated
and users are encouraged to considered socket2 instead.

RUSTSEC-2020-0056

stdweb is unmaintained

Details
Status unmaintained
Package stdweb
Version 0.4.20
URL koute/stdweb#403
Date 2020-05-04

The author of the stdweb crate is unresponsive.

Maintained alternatives:

View more details on GitHub Actions