Merge pull request #1666 from KomodoPlatform/sec-advisory-fixes

[r2r] fix vulnerable dependencies

deny.toml

@@ -56,14 +56,8 @@ notice = "warn"
 ignore = [
     "RUSTSEC-2020-0071",
     "RUSTSEC-2022-0040",
-    "RUSTSEC-2022-0055",
-    "RUSTSEC-2023-0001",
-    "RUSTSEC-2022-0084",
-    "RUSTSEC-2023-0005",
+	"RUSTSEC-2022-0041",
     "RUSTSEC-2022-0070",
-    "RUSTSEC-2019-0036",
-    "RUSTSEC-2022-0041",
-    "RUSTSEC-2022-0078",
     "RUSTSEC-2021-0145",
     "RUSTSEC-2020-0056",
     "RUSTSEC-2022-0080",
@@ -72,7 +66,6 @@ ignore = [
     "RUSTSEC-2021-0059",
     "RUSTSEC-2021-0060",
     "RUSTSEC-2022-0090",
-    #"RUSTSEC-0000-0000",
 ]
 # Threshold for security vulnerabilities, any vulnerability with a CVSS score
 # lower than the range specified will be ignored. Note that ignored advisories

dev-logs/2023-feb/upgrades/axum_core_upgrade_to_0_2_9

@@ -0,0 +1,6 @@
+axum-core upgraded to 0.2.9 because current version(0.2.4) considered as vulnerable
+
+further informations https://rustsec.org/advisories/RUSTSEC-2022-0055.html
+
+
+author: @ozkanonur <work@onurozkan.dev>

dev-logs/2023-feb/upgrades/bumpalo_upgrade_to_3_12_0

@@ -0,0 +1,6 @@
+bumpalo upgraded to 3.12.0 because current version(3.4.0) considered as vulnerable
+
+further informations https://rustsec.org/advisories/RUSTSEC-2022-0078.html
+
+
+author: @ozkanonur <work@onurozkan.dev>

dev-logs/2023-feb/upgrades/libp2p_upgrade_to_0_45_1

@@ -0,0 +1,6 @@
+libp2p upgraded to 0.45.1 because current version(0.45.0) considered as vulnerable
+
+further informations https://rustsec.org/advisories/RUSTSEC-2022-0084.html
+
+
+author: @ozkanonur <work@onurozkan.dev>

dev-logs/2023-feb/upgrades/tokio_upgrade_to_1_25_0

@@ -0,0 +1,6 @@
+tokio upgraded to 1.25.0 because current version(1.18.2) considered as vulnerable
+
+further informations https://rustsec.org/advisories/RUSTSEC-2023-0001.html and https://rustsec.org/advisories/RUSTSEC-2023-0005.html
+
+
+author: @ozkanonur <work@onurozkan.dev>

mm2src/coins/Cargo.toml

@@ -126,7 +126,7 @@ rust-ini = { version = "0.13" }
 rustls = { version = "0.20", features = ["dangerous_configuration"] }
 secp256k1v22 = { version = "0.22", package = "secp256k1" }
 tendermint-config = { version = "0.23.7", default-features = false }
-tokio = { version = "1.7" }
+tokio = { version = "1.20" }
 tokio-rustls = { version = "0.23" }
 tonic = { version = "0.7", features = ["tls", "tls-webpki-roots", "compression"] }
 webpki-roots = { version = "0.22" }

mm2src/common/Cargo.toml

@@ -66,7 +66,7 @@ hyper-rustls = { version = "0.23", default-features = false, features = ["http1"
 libc = { version = "0.2" }
 lightning = "0.0.110"
 log4rs = { version = "1.0", default-features = false, features = ["console_appender", "pattern_encoder"] }
-tokio = { version = "1.7", features = ["io-util", "rt-multi-thread", "net"] }
+tokio = { version = "1.20", features = ["io-util", "rt-multi-thread", "net"] }
 
 [target.'cfg(windows)'.dependencies]
 winapi = "0.3"

mm2src/floodsub/Cargo.toml

@@ -15,8 +15,8 @@ doctest = false
 [dependencies]
 cuckoofilter = "0.3.2"
 futures = "0.3.1"
-libp2p-core = { git = "https://github.com/libp2p/rust-libp2p.git" }
-libp2p-swarm = { git = "https://github.com/libp2p/rust-libp2p.git" }
+libp2p-core = { git = "https://github.com/libp2p/rust-libp2p.git", tag ="v0.45.1" }
+libp2p-swarm = { git = "https://github.com/libp2p/rust-libp2p.git", tag ="v0.45.1" }
 prost = "0.10"
 rand = "0.7"
 smallvec = "1.0"

mm2src/gossipsub/Cargo.toml

@@ -20,8 +20,8 @@ common = { path = "../common" }
 fnv = "1.0.6"
 futures = "0.3.1"
 futures_codec = "0.4.0"
-libp2p-swarm = { git = "https://github.com/libp2p/rust-libp2p.git" }
-libp2p-core = { git = "https://github.com/libp2p/rust-libp2p.git" }
+libp2p-swarm = { git = "https://github.com/libp2p/rust-libp2p.git", tag ="v0.45.1" }
+libp2p-core = { git = "https://github.com/libp2p/rust-libp2p.git", tag ="v0.45.1" }
 log = "0.4.8"
 prost = "0.10"
 rand = "0.7"
@@ -33,8 +33,8 @@ wasm-timer = "0.2.4"
 [dev-dependencies]
 async-std = "1.6.2"
 env_logger = "0.7.1"
-libp2p-plaintext = { git = "https://github.com/libp2p/rust-libp2p.git" }
-libp2p-yamux = { git = "https://github.com/libp2p/rust-libp2p.git" }
+libp2p-plaintext = { git = "https://github.com/libp2p/rust-libp2p.git", tag ="v0.45.1" }
+libp2p-yamux = { git = "https://github.com/libp2p/rust-libp2p.git", tag ="v0.45.1" }
 quickcheck = "0.9.2"
 
 [build-dependencies]

mm2src/mm2_libp2p/Cargo.toml

@@ -29,12 +29,12 @@ void = "1.0"
 wasm-timer = "0.2.4"
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
-tokio = { version = "1.7", features = ["rt-multi-thread", "macros"] }
-libp2p = { git = "https://github.com/libp2p/rust-libp2p.git", default-features = false, features = ["dns-tokio", "floodsub", "mplex", "noise", "ping", "request-response", "secp256k1", "tcp-tokio", "websocket"] }
+tokio = { version = "1.20", features = ["rt-multi-thread", "macros"] }
+libp2p = { git = "https://github.com/libp2p/rust-libp2p.git", tag = "v0.45.1", default-features = false, features = ["dns-tokio", "floodsub", "mplex", "noise", "ping", "request-response", "secp256k1", "tcp-tokio", "websocket"] }
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 getrandom = { version = "0.2", features = ["js"] } # see https://docs.rs/getrandom/0.2.0/getrandom/#webassembly-support
-libp2p = { git = "https://github.com/libp2p/rust-libp2p.git", default-features = false, features = ["floodsub", "mplex", "noise", "ping", "request-response", "secp256k1", "wasm-ext", "wasm-ext-websocket"] }
+libp2p = { git = "https://github.com/libp2p/rust-libp2p.git", tag = "v0.45.1", default-features = false, features = ["floodsub", "mplex", "noise", "ping", "request-response", "secp256k1", "wasm-ext", "wasm-ext-websocket"] }
 wasm-bindgen-futures = "0.4.21"
 
 [dev-dependencies]

mm2src/mm2_libp2p/src/atomicdex_behaviour.rs

@@ -828,10 +828,13 @@ fn build_dns_ws_transport(
 ) -> BoxedTransport<(PeerId, libp2p::core::muxing::StreamMuxerBox)> {
     use libp2p::websocket::tls as libp2p_tls;
 
-    let tcp = libp2p::tcp::TokioTcpConfig::new().nodelay(true);
-    let dns_tcp =
-        libp2p::dns::TokioDnsConfig::custom(tcp, libp2p::dns::ResolverConfig::google(), Default::default()).unwrap();
-    let mut ws_dns_tcp = libp2p::websocket::WsConfig::new(dns_tcp.clone());
+    let ws_tcp = libp2p::dns::TokioDnsConfig::custom(
+        libp2p::tcp::TokioTcpConfig::new().nodelay(true),
+        libp2p::dns::ResolverConfig::google(),
+        Default::default(),
+    )
+    .unwrap();
+    let mut ws_dns_tcp = libp2p::websocket::WsConfig::new(ws_tcp);
 
     if let Some(certs) = wss_certs {
         let server_priv_key = libp2p_tls::PrivateKey::new(certs.server_priv_key.0.clone());
@@ -843,6 +846,15 @@ fn build_dns_ws_transport(
         ws_dns_tcp.set_tls_config(wss_config);
     }
 
+    // This is for preventing port reuse of dns/tcp instead of
+    // websocket ports.
+    let dns_tcp = libp2p::dns::TokioDnsConfig::custom(
+        libp2p::tcp::TokioTcpConfig::new().nodelay(true),
+        libp2p::dns::ResolverConfig::google(),
+        Default::default(),
+    )
+    .unwrap();
+
     let transport = dns_tcp.or_transport(ws_dns_tcp);
     upgrade_transport(transport, noise_keys)
 }

mm2src/mm2_main/Cargo.toml

@@ -106,7 +106,7 @@ web-sys = { version = "0.3.55", features = ["console"] }
 dirs = { version = "1" }
 futures-rustls = { version = "0.21.1" }
 hyper = { version = "0.14.11", features = ["client", "http2", "server", "tcp"] }
-tokio = { version = "1.7", features = ["io-util", "rt-multi-thread", "net"] }
+tokio = { version = "1.20", features = ["io-util", "rt-multi-thread", "net"] }
 
 [target.'cfg(windows)'.dependencies]
 winapi = "0.3"