Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps(client): update eventsource-client to fix CVE(s) #1954

Merged
merged 3 commits into from
Jun 11, 2024

Conversation

Br1ght0ne
Copy link
Contributor

@Br1ght0ne Br1ght0ne commented Jun 11, 2024

This PR updates eventsource-client dependency of fuel-core-client from 0.10.2 to 0.12.2.
Rationale: there are multiple security advisories for hyper-rustls/rustls indirect dependencies (RUSTSEC-2024-0336, RUSTSEC-2023-0052, CVE-2022-31394).
Found out about these by running https://github.com/EmbarkStudios/cargo-deny on fuels-rs.
No breaking changes.

References:

Output of `cargo-deny`
error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input
    ┌─ /Users/brightone/dev/github.com/FuelLabs/fuels-rs/Cargo.lock:298:1
    │
298 │ rustls 0.19.1 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2024-0336
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336
    = If a `close_notify` alert is received during a handshake, `complete_io`
      does not terminate.

      Callers which do not call `complete_io` are not affected.

      `rustls-tokio` and `rustls-ffi` do not call `complete_io`
      and are not affected.

      `rustls::Stream` and `rustls::StreamOwned` types use
      `complete_io` and are affected.
    = Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
    = Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`)
    = rustls v0.19.1
      ├── hyper-rustls v0.22.1
      │   └── eventsource-client v0.10.2
      │       └── fuel-core-client v0.28.0
      │           ├── fuels v0.63.1
      │           │   ├── (dev) e2e v0.63.1
      │           │   ├── (dev) fuels-example-codec v0.63.1
      │           │   ├── (dev) fuels-example-contracts v0.63.1
      │           │   ├── (dev) fuels-example-cookbook v0.63.1
      │           │   ├── (dev) fuels-example-debugging v0.63.1
      │           │   ├── (dev) fuels-example-macros v0.63.1
      │           │   ├── (dev) fuels-example-predicates v0.63.1
      │           │   ├── (dev) fuels-example-providers v0.63.1
      │           │   ├── (dev) fuels-example-rust-bindings v0.63.1
      │           │   ├── (dev) fuels-example-types v0.63.1
      │           │   ├── (dev) fuels-example-wallets v0.63.1
      │           │   └── (dev) wasm-tests v0.63.1
      │           ├── fuels-accounts v0.63.1
      │           │   ├── (build) e2e v0.63.1 (*)
      │           │   ├── fuel-core-version v0.63.1
      │           │   ├── fuels v0.63.1 (*)
      │           │   ├── fuels-programs v0.63.1
      │           │   │   └── fuels v0.63.1 (*)
      │           │   └── fuels-test-helpers v0.63.1
      │           │       └── fuels v0.63.1 (*)
      │           ├── fuels-core v0.63.1
      │           │   ├── fuels v0.63.1 (*)
      │           │   ├── fuels-accounts v0.63.1 (*)
      │           │   ├── fuels-programs v0.63.1 (*)
      │           │   ├── fuels-test-helpers v0.63.1 (*)
      │           │   └── (dev) wasm-tests v0.63.1 (*)
      │           └── fuels-test-helpers v0.63.1 (*)
      ├── rustls-native-certs v0.5.0
      │   └── hyper-rustls v0.22.1 (*)
      └── tokio-rustls v0.22.0
          └── hyper-rustls v0.22.1 (*)

error[vulnerability]: webpki: CPU denial of service in certificate path building
    ┌─ /Users/brightone/dev/github.com/FuelLabs/fuels-rs/Cargo.lock:426:1
    │
426 │ webpki 0.21.4 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2023-0052
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052
    = When this crate is given a pathological certificate chain to validate, it will
      spend CPU time exponential with the number of candidate certificates at each
      step of path building.

      Both TLS clients and TLS servers that accept client certificate are affected.

      This was previously reported in
      <https://github.com/briansmith/webpki/issues/69> and re-reported recently
      by Luke Malinowski.

      webpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes.
    = Solution: Upgrade to >=0.22.2 (try `cargo update -p webpki`)
    = webpki v0.21.4
      ├── hyper-rustls v0.22.1
      │   └── eventsource-client v0.10.2
      │       └── fuel-core-client v0.28.0
      │           ├── fuels v0.63.1
      │           │   ├── (dev) e2e v0.63.1
      │           │   ├── (dev) fuels-example-codec v0.63.1
      │           │   ├── (dev) fuels-example-contracts v0.63.1
      │           │   ├── (dev) fuels-example-cookbook v0.63.1
      │           │   ├── (dev) fuels-example-debugging v0.63.1
      │           │   ├── (dev) fuels-example-macros v0.63.1
      │           │   ├── (dev) fuels-example-predicates v0.63.1
      │           │   ├── (dev) fuels-example-providers v0.63.1
      │           │   ├── (dev) fuels-example-rust-bindings v0.63.1
      │           │   ├── (dev) fuels-example-types v0.63.1
      │           │   ├── (dev) fuels-example-wallets v0.63.1
      │           │   └── (dev) wasm-tests v0.63.1
      │           ├── fuels-accounts v0.63.1
      │           │   ├── (build) e2e v0.63.1 (*)
      │           │   ├── fuel-core-version v0.63.1
      │           │   ├── fuels v0.63.1 (*)
      │           │   ├── fuels-programs v0.63.1
      │           │   │   └── fuels v0.63.1 (*)
      │           │   └── fuels-test-helpers v0.63.1
      │           │       └── fuels v0.63.1 (*)
      │           ├── fuels-core v0.63.1
      │           │   ├── fuels v0.63.1 (*)
      │           │   ├── fuels-accounts v0.63.1 (*)
      │           │   ├── fuels-programs v0.63.1 (*)
      │           │   ├── fuels-test-helpers v0.63.1 (*)
      │           │   └── (dev) wasm-tests v0.63.1 (*)
      │           └── fuels-test-helpers v0.63.1 (*)
      ├── rustls v0.19.1
      │   ├── hyper-rustls v0.22.1 (*)
      │   ├── rustls-native-certs v0.5.0
      │   │   └── hyper-rustls v0.22.1 (*)
      │   └── tokio-rustls v0.22.0
      │       └── hyper-rustls v0.22.1 (*)
      └── tokio-rustls v0.22.0 (*)

 advisories FAILED: 2 errors, 0 warnings, 0 notes

Checklist

  • Breaking changes are clearly marked as such in the PR description and changelog
  • New behavior is reflected in tests
  • The specification matches the implemented behavior (link update PR if changes are needed)

Before requesting review

  • I have reviewed the code myself
  • I have created follow-up issues caused by this PR and linked them here

@Br1ght0ne Br1ght0ne requested a review from xgreenx June 11, 2024 16:32
@Br1ght0ne Br1ght0ne added the no changelog Skip the CI check of the changelog modification label Jun 11, 2024
@xgreenx xgreenx enabled auto-merge (squash) June 11, 2024 22:01
@xgreenx xgreenx merged commit 38d532f into master Jun 11, 2024
27 checks passed
@xgreenx xgreenx deleted the client-eventsource-cve branch June 11, 2024 22:17
@xgreenx xgreenx mentioned this pull request Jun 14, 2024
xgreenx added a commit that referenced this pull request Jun 14, 2024
## Version v0.29.0

### Added
- [#1889](#1889): Add new
`FuelGasPriceProvider` that receives the gas price algorithm from a
`GasPriceService`

### Changed
- [#1942](#1942): Sequential
relayer's commits.
- [#1952](#1952): Change tip
sorting to ratio between tip and max gas sorting in txpool
- [#1960](#1960): Update
fuel-vm to v0.53.0.

### Fixed
- [#1950](#1950): Fix cursor
`BlockHeight` encoding in `SortedTXCursor`

## What's Changed
* Fix code coverage compilation and tests by @Dentosal in
#1943
* Weekly `cargo update` by @github-actions in
#1949
* Fix cursor block height decoding in SortedTXCursor by @AurelienFT in
#1950
* Sequential relayer's commits by @xgreenx in
#1942
* Add Gas Price Updater Service by @MitchTurner in
#1938
* Change tip sorting to ratio between tip and max gas sorting in txpool
by @AurelienFT in #1952
* deps(client): update eventsource-client to fix CVE(s) by @Br1ght0ne in
#1954
* Update fuel-vm to v0.53.0 by @Dentosal in
#1960

## New Contributors
* @AurelienFT made their first contribution in
#1950

**Full Changelog**:
v0.28.0...v0.29.0
AurelienFT added a commit that referenced this pull request Oct 23, 2024
## Linked Issues/PRs
Resolves #1843

## Description
This has been fixed in #1954.
Verified it by running cargo audit on my own did had this warning.

Co-authored-by: Green Baneling <XgreenX9999@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
no changelog Skip the CI check of the changelog modification
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants