Skip to content

Update dependencies to get rid of RUSTSEC-2023-0052#8

Open
mksh wants to merge 1 commit intomechiru:masterfrom
ChorusOne:fix-RUSTSEC-2023-0052
Open

Update dependencies to get rid of RUSTSEC-2023-0052#8
mksh wants to merge 1 commit intomechiru:masterfrom
ChorusOne:fix-RUSTSEC-2023-0052

Conversation

@mksh
Copy link

@mksh mksh commented Aug 22, 2023
edited
Loading

webpki package was revealed to contain CPU denial-of-service vulnerability via https://rustsec.org/advisories/RUSTSEC-2023-0052.html

google-authz contains webpki as transitive dependency, cargo audit output:

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 561 security advisories (from /home/mksh/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (176 crate dependencies)
Crate:     webpki
Version:   0.22.0
Title:     webpki: CPU denial of service in certificate path building
Date:      2023-08-22
ID:        RUSTSEC-2023-0052
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0052
Severity:  7.5 (high)
Solution:  No fixed upgrade is available!
Dependency tree:
webpki 0.22.0
├── webpki-roots 0.22.6
│   ├── tonic 0.7.2
│   │   └── examples 0.1.0
│   └── hyper-rustls 0.23.2
│       └── google-authz 1.0.0-alpha.5
│           └── examples 0.1.0
├── tokio-rustls 0.23.4
│   ├── tonic 0.7.2
│   └── hyper-rustls 0.23.2
└── rustls 0.20.8
    ├── tokio-rustls 0.23.4
    └── hyper-rustls 0.23.2

This updates hyper-rustls dependency of library, and tonic dependency of examples to contain not vulnerable versions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mksh