CVE-2023-5363 in Version 0.9.x of openssl-sys

[guenhter]

Hi,

it seems like that version 0.9.x of openssl-sys (I can tell that all versions of 0.9.x up to the latest 0.9.104 is in the list, but you need to register to see this information) if affected by the vulnerability classified as high https://ossindex.sonatype.org/vulnerability/CVE-2023-5363?component-type=cargo&component-name=openssl-sys

I don't know if this is something which can be fixed in 0.9, but it seems no version of 0.10 if affected.

Are there any plans to upgrade openssl to from openssl-sys:0.9.x to openssl-sys:0.10.x?

[alex]

This is a vulnerability in OpenSSL itself, not this crate. I don't know what's wrong with Sonatype's metadata.

…

On Fri, Oct 25, 2024 at 2:44 AM Günther Grill ***@***.***> wrote: Hi, it seems like that version 0.9.x of openssl-sys (I can tell that all versions of 0.9.x up to the latest 0.9.104 is in the list, but you need to register to see this information) if affected by the vulnerability classified as high https://ossindex.sonatype.org/vulnerability/CVE-2023-5363?component-type=cargo&component-name=openssl-sys I don't know if this is something which can be fixed in 0.9, but it seems no version of 0.10 if affected. Are there any plans to upgrade openssl to from openssl-sys:0.9.x to openssl-sys:0.10.x? — Reply to this email directly, view it on GitHub <#2323>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBFZQBMW7XFTIVS6JILZ5HSELAVCNFSM6AAAAABQSS2A3WVHI2DSMVQWIX3LMV43ASLTON2WKOZSGYYTGMRTGQ3DINA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.