You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The version of exonum that is contained on crates.io contains multiple severe vulnerabilities. It looks like these vulnerabilities are fixed on github, but no release has been pushed to crates.io for a year. Could you please make a 1.0.1 or 1.1.0 release?
Specifically:
RUSTSEC-2018-0007 (Stack overflow when parsing malicious DNS packet).
RUSTSEC-2020-0049 (Use-after-free in Framed).
RUSTSEC-2020-0048 (Use-after-free in BodyStream)
The text was updated successfully, but these errors were encountered:
Hello. Yes, I know about these vulnerabilities. I'm waiting for actix-web 4.0.0 and actix-web-actors 4.0.0 releases. After that I plan to create a new release of the exonum.
I appreciate you putting in the effort to maintain this project. I recently adopted exonum as the backend for my CryptoBallot project (https://github.com/cryptoballot/cryptoballot), and it fit my needs nearly perfectly.
actix-web 4 has been released for over a year now. We're considering breaking the actix-http 1.x range of dependencies in order to fix a vulnerability report in chrono: chronotope/chrono#1095. Consider yourself warned that we may break actix-http 1.x going forward.
Hi there,
The version of exonum that is contained on crates.io contains multiple severe vulnerabilities. It looks like these vulnerabilities are fixed on github, but no release has been pushed to crates.io for a year. Could you please make a 1.0.1 or 1.1.0 release?
Specifically:
RUSTSEC-2018-0007
(Stack overflow when parsing malicious DNS packet).RUSTSEC-2020-0049
(Use-after-free in Framed).RUSTSEC-2020-0048
(Use-after-free in BodyStream)The text was updated successfully, but these errors were encountered: