Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2023-0052, RUSTSEC-2023-0053 #4375

Closed
jxs opened this issue Aug 22, 2023 · 7 comments · Fixed by #4483
Closed

RUSTSEC-2023-0052, RUSTSEC-2023-0053 #4375

jxs opened this issue Aug 22, 2023 · 7 comments · Fixed by #4483

Comments

@jxs
Copy link
Member

jxs commented Aug 22, 2023

Description

see here, here, it affects us due to libp2p-websockets dependency on futures-rustls, 0053 is easily fixed by cargo upgrading but 0052 hasn't yet a solution

Current Implementation

Are you planning to do it yourself in a pull request?

Maybe.
@jimmygchen jimmygchen mentioned this issue Aug 22, 2023
Closed
@thomaseizinger
Copy link
Contributor

Related: #4378.

@jxs
Copy link
Member Author

jxs commented Aug 25, 2023

addressed with #4387 (comment)

@jxs jxs closed this as completed Aug 25, 2023
@jxs jxs reopened this Sep 7, 2023
@jxs
Copy link
Member Author

jxs commented Sep 7, 2023

sorry this is still failing because of webrtc-rs via webrtc-dtls see webrtc-rs/webrtc#491

@jxs jxs mentioned this issue Sep 7, 2023
Merged
4 tasks
@rainliu
Copy link

rainliu commented Sep 10, 2023

@jxs , webrtc v0.9.0 fixed WebPKI security issue

@jxs
Copy link
Member Author

jxs commented Sep 10, 2023

thanks @rainliu! @thomaseizinger want me to submit a PR with the update or we can wait for dependabot?

@thomaseizinger
Copy link
Contributor

thanks @rainliu! @thomaseizinger want me to submit a PR with the update or we can wait for dependabot?

It should come in very soon! They always come Sunday night :)

@thomaseizinger thomaseizinger linked a pull request Sep 11, 2023 that will close this issue
deps: bump webrtc from 0.8.0 to 0.9.0 #4475
Merged
@thomaseizinger thomaseizinger removed a link to a pull request Sep 11, 2023
deps: bump webrtc from 0.8.0 to 0.9.0 #4475
Merged
@thomaseizinger
Copy link
Contributor

#4475 does not quite resolve this unfortunately. See:

    = webpki v0.22.0
      ├── rustls v0.20.8
      │   ├── hyper-rustls v0.23.2
      │   │   └── fantoccini v0.20.0-rc.4
      │   │       └── thirtyfour v0.32.0-rc.8
      │   │           └── interop-tests v0.1.0
      │   └── tokio-rustls v0.23.4
      │       └── hyper-rustls v0.23.2 (*)
      └── tokio-rustls v0.23.4 (*)

@thomaseizinger thomaseizinger mentioned this issue Sep 11, 2023
Merged
4 tasks
@mergify mergify bot closed this as completed in #4483 Sep 11, 2023
mergify bot pushed a commit that referenced this issue Sep 11, 2023
@thomaseizinger
deps: update webpki to 0.22.1
240019f 
A simple update to our lockfile to help fix #4375.

Pull-Request: #4483.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

deps: update webpki to 0.22.1 libp2p/rust-libp2p
3 participants
@jxs @rainliu @thomaseizinger