Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (448 crate dependencies) Crate: chrono Version: 0.4.19 Title: Potential segfault in `localtime_r` invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: Upgrade to >=0.4.20 Dependency tree: chrono 0.4.19 Crate: hyper Version: 0.13.10 Title: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling Date: 2021-07-07 ID: RUSTSEC-2021-0078 URL: https://rustsec.org/advisories/RUSTSEC-2021-0078 Solution: Upgrade to >=0.14.10 Dependency tree: hyper 0.13.10 Crate: hyper Version: 0.13.10 Title: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss Date: 2021-07-07 ID: RUSTSEC-2021-0079 URL: https://rustsec.org/advisories/RUSTSEC-2021-0079 Solution: Upgrade to >=0.14.10 Crate: openssl-src Version: 111.15.0 Title: SM2 Decryption Buffer Overflow Date: 2021-08-24 ID: RUSTSEC-2021-0097 URL: https://rustsec.org/advisories/RUSTSEC-2021-0097 Solution: Upgrade to >=111.16 Dependency tree: openssl-src 111.15.0 Crate: openssl-src Version: 111.15.0 Title: Read buffer overruns processing ASN.1 strings Date: 2021-08-24 ID: RUSTSEC-2021-0098 URL: https://rustsec.org/advisories/RUSTSEC-2021-0098 Solution: Upgrade to >=111.16 Crate: openssl-src Version: 111.15.0 Title: Infinite loop in `BN_mod_sqrt()` reachable when parsing certificates Date: 2022-03-15 ID: RUSTSEC-2022-0014 URL: https://rustsec.org/advisories/RUSTSEC-2022-0014 Solution: Upgrade to >=111.18, <300.0 OR >=300.0.5 Crate: openssl-src Version: 111.15.0 Title: AES OCB fails to encrypt some bytes Date: 2022-07-05 ID: RUSTSEC-2022-0032 URL: https://rustsec.org/advisories/RUSTSEC-2022-0032 Solution: Upgrade to >=111.22, <300.0 OR >=300.0.9 Crate: openssl-src Version: 111.18.0 Title: AES OCB fails to encrypt some bytes Date: 2022-07-05 ID: RUSTSEC-2022-0032 URL: https://rustsec.org/advisories/RUSTSEC-2022-0032 Solution: Upgrade to >=111.22, <300.0 OR >=300.0.9 Dependency tree: openssl-src 111.18.0 Crate: owning_ref Version: 0.4.1 Title: Multiple soundness issues in `owning_ref` Date: 2022-01-26 ID: RUSTSEC-2022-0040 URL: https://rustsec.org/advisories/RUSTSEC-2022-0040 Solution: No fixed upgrade is available! Dependency tree: owning_ref 0.4.1 Crate: regex Version: 1.5.4 Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse Date: 2022-03-08 ID: RUSTSEC-2022-0013 URL: https://rustsec.org/advisories/RUSTSEC-2022-0013 Solution: Upgrade to >=1.5.5 Dependency tree: regex 1.5.4 Crate: rust-embed Version: 5.9.0 Title: RustEmbed generated `get` method allows for directory traversal when reading files from disk Date: 2021-11-29 ID: RUSTSEC-2021-0126 URL: https://rustsec.org/advisories/RUSTSEC-2021-0126 Solution: Upgrade to >=6.3.0 Dependency tree: rust-embed 5.9.0 Crate: time Version: 0.1.43 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.43 Crate: tokio Version: 0.2.25 Title: Data race when sending and receiving after closing a `oneshot` channel Date: 2021-11-16 ID: RUSTSEC-2021-0124 URL: https://rustsec.org/advisories/RUSTSEC-2021-0124 Solution: Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1 Dependency tree: tokio 0.2.25 Crate: failure Version: 0.1.8 Warning: unmaintained Title: failure is officially deprecated/unmaintained Date: 2020-05-02 ID: RUSTSEC-2020-0036 URL: https://rustsec.org/advisories/RUSTSEC-2020-0036 Dependency tree: failure 0.1.8 Crate: net2 Version: 0.2.37 Warning: unmaintained Title: `net2` crate has been deprecated; use `socket2` instead Date: 2020-05-01 ID: RUSTSEC-2020-0016 URL: https://rustsec.org/advisories/RUSTSEC-2020-0016 Dependency tree: net2 0.2.37 error: 13 vulnerabilities found! warning: 2 allowed warnings found
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdb8e33cafaa250f179b6f86a42d53dfa090a78e commit fdb8e33cafaa250f179b6f86a42d53dfa090a78e Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-27 06:39:21 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-27 06:42:12 +0000 dev-util/cargo-audit: add 0.17.6 Closes: https://bugs.gentoo.org/864055 Signed-off-by: Sam James <sam@gentoo.org> dev-util/cargo-audit/Manifest | 196 +++++++++++++++ dev-util/cargo-audit/cargo-audit-0.17.6.ebuild | 328 +++++++++++++++++++++++++ 2 files changed, 524 insertions(+)
