Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (513 crate dependencies) Crate: chrono Version: 0.4.19 Title: Potential segfault in `localtime_r` invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: Upgrade to >=0.4.20 Dependency tree: chrono 0.4.19 Crate: slice-deque Version: 0.3.0 Title: SliceDeque::drain_filter can double drop an element if the predicate panics Date: 2021-02-19 ID: RUSTSEC-2021-0047 URL: https://rustsec.org/advisories/RUSTSEC-2021-0047 Solution: No fixed upgrade is available! Dependency tree: slice-deque 0.3.0 Crate: time Version: 0.1.43 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.43 Crate: time Version: 0.1.44 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.44 Crate: xcb Version: 0.8.2 Title: Multiple soundness issues Date: 2021-02-04 ID: RUSTSEC-2021-0019 URL: https://rustsec.org/advisories/RUSTSEC-2021-0019 Solution: Upgrade to >=1.0 Dependency tree: xcb 0.8.2 Crate: slice-deque Version: 0.3.0 Warning: unmaintained Title: slice-deque is unmaintained Date: 2020-02-10 ID: RUSTSEC-2020-0158 URL: https://rustsec.org/advisories/RUSTSEC-2020-0158 Crate: stdweb Version: 0.1.3 Warning: unmaintained Title: stdweb is unmaintained Date: 2020-05-04 ID: RUSTSEC-2020-0056 URL: https://rustsec.org/advisories/RUSTSEC-2020-0056 Dependency tree: stdweb 0.1.3 error: 5 vulnerabilities found! warning: 2 allowed warnings found
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fed53f82a47f6c82d30a0c42575b840034516a04 commit fed53f82a47f6c82d30a0c42575b840034516a04 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-12-12 05:47:32 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-12-12 07:12:31 +0000 app-emulation/ruffle: add 0_p20221212 To update wrt bug #86401, only slice-deque-0.3.0 issue remains which is waiting for minimp3's upstream (there is a migration PR but progress been kind of stalled). This replaces x11-clipboard by arboard and thus removes the need for old xcb crate and python-any-r1. Adjust X deps to be match what winit crate uses more closely. Arboard and winit have some degree of wayland support but this didn't work so well with ruffle yet from a quick try. Bug: https://bugs.gentoo.org/864010 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> app-emulation/ruffle/Manifest | 71 +++ app-emulation/ruffle/ruffle-0_p20221212.ebuild | 583 +++++++++++++++++++++++++ 2 files changed, 654 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=947742fff69af49cd9a5bd4b5f22313cd53acfc0 commit 947742fff69af49cd9a5bd4b5f22313cd53acfc0 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-12-29 17:22:51 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-12-29 20:28:56 +0000 app-emulation/ruffle: drop vulnerable 0_p20221212 Bug: https://bugs.gentoo.org/864010 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> app-emulation/ruffle/Manifest | 49 --- app-emulation/ruffle/ruffle-0_p20221212.ebuild | 583 ------------------------- 2 files changed, 632 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a596739245e52bcd5e5c162b5543f35748ca6da commit 7a596739245e52bcd5e5c162b5543f35748ca6da Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-12-29 17:16:30 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-12-29 20:28:56 +0000 app-emulation/ruffle: add 0_p20221229 all done wrt bug #864010, minimp3 is no longer used and so neither is slice-deque (and no new vulns from cargo audit). Bug: https://bugs.gentoo.org/864010 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> app-emulation/ruffle/Manifest | 46 ++ app-emulation/ruffle/ruffle-0_p20221229.ebuild | 580 +++++++++++++++++++++++++ 2 files changed, 626 insertions(+)
Thanks! All done then.