Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crates.io version of exonum contains multiple severe vulnerabilities #1992

Open
phayes opened this issue Jun 10, 2021 · 3 comments
Open

crates.io version of exonum contains multiple severe vulnerabilities #1992

phayes opened this issue Jun 10, 2021 · 3 comments

Comments

@phayes
Copy link

phayes commented Jun 10, 2021

Hi there,

The version of exonum that is contained on crates.io contains multiple severe vulnerabilities. It looks like these vulnerabilities are fixed on github, but no release has been pushed to crates.io for a year. Could you please make a 1.0.1 or 1.1.0 release?

Specifically:

  1. RUSTSEC-2018-0007 (Stack overflow when parsing malicious DNS packet).
  2. RUSTSEC-2020-0049 (Use-after-free in Framed).
  3. RUSTSEC-2020-0048 (Use-after-free in BodyStream)
@aleksuss
Copy link
Contributor

Hello. Yes, I know about these vulnerabilities. I'm waiting for actix-web 4.0.0 and actix-web-actors 4.0.0 releases. After that I plan to create a new release of the exonum.

@phayes
Copy link
Author

phayes commented Jun 10, 2021

Thanks @aleksuss,

I appreciate you putting in the effort to maintain this project. I recently adopted exonum as the backend for my CryptoBallot project (https://github.com/cryptoballot/cryptoballot), and it fit my needs nearly perfectly.

@djc
Copy link

djc commented Jun 19, 2023

actix-web 4 has been released for over a year now. We're considering breaking the actix-http 1.x range of dependencies in order to fix a vulnerability report in chrono: chronotope/chrono#1095. Consider yourself warned that we may break actix-http 1.x going forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants