-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-8927 in brotli-sys
dependency
#2537
Labels
Comments
robjtede
added
A-http
project: actix-http
C-bug-upstream
Category: bug in a dependency (including actix-net)
labels
Dec 22, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Expected Behavior
Actix and its dependencies should have no known vulnerabilities unpatched
Current Behavior
Actix is affected by CVE-2020-8927, buffer overflow in the Brotli C library, through
brotli-sys
crate.Possible Solution
There is no updated release of
brotli-sys
that fixes the issue (it has been reported upstream). There are several abandoned PRs updating to newer Brotli, so it looks like a new release will not be cut anytime soon.The
brotli
crate provides a pure Rust implementation of Brotli compression and decompression. It is used in production by Dropbox and is not affected by the issue (and could not be affected because it's written in safe Rust). I suggest switching to thebrotli
crate as a mitigation.Steps to Reproduce (for bugs)
cargo install cargo-audit
cd actix-web
cargo audit
The dependency tree leading to the affected
brotli-sys
crate is:rustc -V
):The text was updated successfully, but these errors were encountered: