Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update depdencies (and address vulnerabilities in them) #361

Open
DragonDev1906 opened this issue Jun 20, 2024 · 0 comments
Open

Update depdencies (and address vulnerabilities in them) #361

DragonDev1906 opened this issue Jun 20, 2024 · 0 comments

Comments

@DragonDev1906
Copy link

Currently mbedtls has a bunch of outdated dependencies, some of which containing vulnerabilities:

cargo outdated|grep -v Removed

mbedtls
================
Name                          Project                        Compat  Latest   Kind         Platform
----                          -------                        ------  ------   ----         --------
bit-vec                       0.5.1                          ---     0.6.3    Normal       ---
bitflags                      1.3.2                          ---     2.5.0    Normal       ---
hex                           0.3.2                          ---     0.4.3    Development  ---
hyper                         0.10.16                        ---     1.3.1    Development  ---
num-bigint                    0.2.6                          ---     0.4.5    Normal       ---
rand                          0.4.6                          ---     0.8.5    Development  ---
rand_core                     0.3.1                          ---     0.6.4    Normal       cfg(target_env = "sgx")
serde_cbor                    0.6.1                          ---     0.11.2   Development  ---
yasna                         0.2.2                          ---     0.5.2    Normal       ---

mbedtls-platform-support
================
Name  Project  Compat  Latest  Kind    Platform
----  -------  ------  ------  ----    --------
spin  0.5.2    ---     0.9.8   Normal  ---

mbedtls-sys-auto
================
Name                Project  Compat  Latest   Kind    Platform
----                -------  ------  ------   ----    --------
bindgen             0.65.1   ---     0.69.4   Build   ---
bitflags            1.3.2    ---     2.5.0    Normal  ---
syn                 1.0.109  ---     2.0.66   Build   ---

cargo audit

Crate:     hyper
Version:   0.10.16
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
└── mbedtls 0.12.3

Crate:     hyper
Version:   0.10.16
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     serde_cbor
Version:   0.6.1
Title:     Flaw in CBOR deserializer allows stack overflow
Date:      2019-10-03
ID:        RUSTSEC-2019-0025
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0025
Severity:  7.5 (high)
Solution:  Upgrade to >=0.10.2
Dependency tree:
serde_cbor 0.6.1
└── mbedtls 0.12.3

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── hyper 0.10.16
    └── mbedtls 0.12.3

Crate:     safemem
Version:   0.3.3
Warning:   unmaintained
Title:     safemem is unmaintained
Date:      2023-02-14
ID:        RUSTSEC-2023-0081
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0081
Dependency tree:
safemem 0.3.3
└── base64 0.9.3
    └── hyper 0.10.16
        └── mbedtls 0.12.3

Crate:     serde_cbor
Version:   0.6.1
Warning:   unmaintained
Title:     serde_cbor is unmaintained
Date:      2021-08-15
ID:        RUSTSEC-2021-0127
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0127

Crate:     traitobject
Version:   0.1.0
Warning:   unmaintained
Title:     traitobject is Unmaintained
Date:      2021-10-04
ID:        RUSTSEC-2021-0144
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0144
Dependency tree:
traitobject 0.1.0
└── hyper 0.10.16
    └── mbedtls 0.12.3

Crate:     hyper
Version:   0.10.16
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     traitobject
Version:   0.1.0
Warning:   unsound
Title:     traitobject assumes the layout of fat pointers
Date:      2020-06-01
ID:        RUSTSEC-2020-0027
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0027
Severity:  9.8 (critical)

error: 4 vulnerabilities found!
warning: 5 allowed warnings foun
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DragonDev1906