Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update hyper in rocket_http v0.4.10 because of vulnerabilities #1815

Closed
ralpha opened this issue Aug 9, 2021 · 3 comments
Closed

Update hyper in rocket_http v0.4.10 because of vulnerabilities #1815

ralpha opened this issue Aug 9, 2021 · 3 comments
Labels
triage A bug report being investigated

Comments

@ralpha
Copy link

ralpha commented Aug 9, 2021

Description

Because of 2 vulnerabilities in hyper reported as: RUSTSEC-2021-0078 and RUSTSEC-2021-0079 an update of the dependency hyper is required from version 0.10.x to 0.14.10.
This is not a patch version anymore (from 0.10 -> 0.14) and thus might have other effects.

References:

The is only effects v0.4.x of Rocket, not v0.5.x.
Although in there the minimum version might as well get updated from 0.14.9 to 0.14.10 as the minimum version so to not include this vulnerability. But cargo update will update this automatically.

Additional Context

This will be found by cargo audit since 2021/08/08:

Crate:         hyper
Version:       0.10.16
Title:         Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:          2021-07-07
ID:            RUSTSEC-2021-0078
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0078
Solution:      Upgrade to >=0.14.10
Dependency tree: 
hyper 0.10.16

Crate:         hyper
Version:       0.10.16
Title:         Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:          2021-07-07
ID:            RUSTSEC-2021-0079
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0079
Solution:      Upgrade to >=0.14.10

Dependency tree:

└── rocket v0.4.10
    └── rocket_codegen v0.4.10 (proc-macro)
        └── rocket_http v0.4.10
            └── hyper v0.10.16
@ralpha ralpha added the triage A bug report being investigated label Aug 9, 2021
@SergioBenitez
Copy link
Member

This cannot happen in 0.4 and is already done in 0.5.

@dfgweb
Copy link

dfgweb commented Jan 20, 2023

Additionnaly, hyper v0.10.16 still use traitobject v0.1 which have another CVE. See reem/rust-traitobject#7.

Since Rocket v0.5 still not released, why not update dependency to Hyper v0.14 which don't rely on traitobject nor have CVE?

@shelvacu
Copy link

As a workaround, put this in Cargo.toml:

[patch.crates-io]
traitobject = { git = "https://github.com/reem/rust-traitobject", rev = "b3471a15917b2caf5a8b27debb0b4b390fc6634f" }

to pull in the merged-but-never-released-on-cargo fix

shelvacu added a commit to consortium-chat/plutocradroid that referenced this issue Jan 22, 2023
@shelvacu
Dear Diary,
151debe 
AAAAAAAAAAAAAAAAA

rust-lang/cargo#9227

AAAAAAAAAAAAAAAAAAAAAAAAAAAA

reem/rust-traitobject#7

AAAAAAAAAAAAAAAAAAAAA

rwf2/Rocket#1815

and updated libs and fixed deprecation warnings from chrono
This was referenced Oct 12, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage A bug report being investigated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dfgweb @SergioBenitez @shelvacu @ralpha