Skip to content

Fix/cargo deny advisories #2005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ifropc merged 2 commits into from
Apr 9, 2025
Merged

Fix/cargo deny advisories #2005

ifropc merged 2 commits into from
Apr 9, 2025

Conversation

@elizabethengelman
Copy link
Collaborator

@elizabethengelman elizabethengelman commented Apr 9, 2025

What

  • Update openssl to 0.10.72 per cargo deny advisories suggestion
  • Update tokio to 1.42.1 per cargo deny advisories suggestion

Why

  • openssl upgrade to fix this error:
error[vulnerability]: Use-After-Free in `Md::fetch` and `Cipher::fetch`
    ┌─ /Users/ebethme/Desktop/projects/stellar/stellar-cli/Cargo.lock:281:1
    │
281 │ openssl 0.10.70 registry+https://github.com/rust-lang/crates.io-index
    │ --------------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2025-0022
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0022
    = When a `Some(...)` value was passed to the `properties` argument of either of these functions, a use-after-free would result.

      In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to `CString::drop`'s behavior).

      The maintainers thank [quitbug](https://github.com/quitbug/) for reporting this vulnerability to us.
    = Announcement: https://github.com/sfackler/rust-openssl/pull/2390
    = Solution: Upgrade to >=0.10.72 (try `cargo update -p openssl`)
  • tokio upgrade to fix this error:
    ┌─ /Users/ebethme/Desktop/projects/stellar/stellar-cli/Cargo.lock:470:1
    │
470 │ tokio 1.39.2 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------ unsound advisory detected
    │
    = ID: RUSTSEC-2025-0023
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0023
    = The broadcast channel internally calls `clone` on the stored value when
      receiving it, and only requires `T:Send`. This means that using the broadcast
      channel with values that are `Send` but not `Sync` can trigger unsoundness if
      the `clone` implementation makes use of the value being `!Sync`.

Known limitations

N/A

@github-project-automation github-project-automation bot moved this to Backlog (Not Ready) in DevX Apr 9, 2025
@ifropc ifropc merged commit 4a1393e into main Apr 9, 2025
33 checks passed
@ifropc ifropc deleted the fix/cargo-deny-advisories branch April 9, 2025 19:44
@github-project-automation github-project-automation bot moved this from Backlog (Not Ready) to Done in DevX Apr 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fnando fnando Awaiting requested review from fnando

@leighmcculloch leighmcculloch Awaiting requested review from leighmcculloch

1 more reviewer

@ifropc ifropc ifropc approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

DevX
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elizabethengelman @ifropc