Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (382 crate dependencies) Crate: chrono Version: 0.4.19 Title: Potential segfault in `localtime_r` invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: Upgrade to >=0.4.20 Dependency tree: chrono 0.4.19 Crate: crossbeam-deque Version: 0.7.3 Title: Data race in crossbeam-deque Date: 2021-07-30 ID: RUSTSEC-2021-0093 URL: https://rustsec.org/advisories/RUSTSEC-2021-0093 Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1 Dependency tree: crossbeam-deque 0.7.3 Crate: hyper Version: 0.12.35 Title: Multiple Transfer-Encoding headers misinterprets request payload Date: 2021-02-05 ID: RUSTSEC-2021-0020 URL: https://rustsec.org/advisories/RUSTSEC-2021-0020 Solution: Upgrade to >=0.14.3 OR ^0.13.10 OR ^0.12.36 Dependency tree: hyper 0.12.35 Crate: hyper Version: 0.12.35 Title: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling Date: 2021-07-07 ID: RUSTSEC-2021-0078 URL: https://rustsec.org/advisories/RUSTSEC-2021-0078 Solution: Upgrade to >=0.14.10 Crate: hyper Version: 0.12.35 Title: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss Date: 2021-07-07 ID: RUSTSEC-2021-0079 URL: https://rustsec.org/advisories/RUSTSEC-2021-0079 Solution: Upgrade to >=0.14.10 Crate: nix Version: 0.19.1 Title: Out-of-bounds write in nix::unistd::getgrouplist Date: 2021-09-27 ID: RUSTSEC-2021-0119 URL: https://rustsec.org/advisories/RUSTSEC-2021-0119 Solution: Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0 Dependency tree: nix 0.19.1 Crate: regex Version: 1.4.2 Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse Date: 2022-03-08 ID: RUSTSEC-2022-0013 URL: https://rustsec.org/advisories/RUSTSEC-2022-0013 Solution: Upgrade to >=1.5.5 Dependency tree: regex 1.4.2 Crate: smallvec Version: 0.6.13 Title: Buffer overflow in SmallVec::insert_many Date: 2021-01-08 ID: RUSTSEC-2021-0003 URL: https://rustsec.org/advisories/RUSTSEC-2021-0003 Solution: Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1 Dependency tree: smallvec 0.6.13 Crate: tar Version: 0.4.30 Title: Links in archive can create arbitrary directories Date: 2021-07-19 ID: RUSTSEC-2021-0080 URL: https://rustsec.org/advisories/RUSTSEC-2021-0080 Solution: Upgrade to >=0.4.36 Dependency tree: tar 0.4.30 Crate: thread_local Version: 1.1.0 Title: Data race in `Iter` and `IterMut` Date: 2022-01-23 ID: RUSTSEC-2022-0006 URL: https://rustsec.org/advisories/RUSTSEC-2022-0006 Solution: Upgrade to >=1.1.4 Dependency tree: thread_local 1.1.0 Crate: time Version: 0.1.44 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.44 Crate: tiny_http Version: 0.6.2 Title: HTTP Request smuggling through malformed Transfer Encoding headers Date: 2020-06-16 ID: RUSTSEC-2020-0031 URL: https://rustsec.org/advisories/RUSTSEC-2020-0031 Solution: Upgrade to >=0.8.0 OR ^0.6.3 Dependency tree: tiny_http 0.6.2 Crate: tokio Version: 0.1.22 Title: Data race when sending and receiving after closing a `oneshot` channel Date: 2021-11-16 ID: RUSTSEC-2021-0124 URL: https://rustsec.org/advisories/RUSTSEC-2021-0124 Solution: Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1 Dependency tree: tokio 0.1.22 Crate: tokio Version: 0.2.24 Title: Data race when sending and receiving after closing a `oneshot` channel Date: 2021-11-16 ID: RUSTSEC-2021-0124 URL: https://rustsec.org/advisories/RUSTSEC-2021-0124 Solution: Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1 Dependency tree: tokio 0.2.24 Crate: cpuid-bool Version: 0.1.2 Warning: unmaintained Title: `cpuid-bool` has been renamed to `cpufeatures` Date: 2021-05-06 ID: RUSTSEC-2021-0064 URL: https://rustsec.org/advisories/RUSTSEC-2021-0064 Dependency tree: cpuid-bool 0.1.2 Crate: difference Version: 2.0.0 Warning: unmaintained Title: difference is unmaintained Date: 2020-12-20 ID: RUSTSEC-2020-0095 URL: https://rustsec.org/advisories/RUSTSEC-2020-0095 Dependency tree: difference 2.0.0 Crate: failure Version: 0.1.8 Warning: unmaintained Title: failure is officially deprecated/unmaintained Date: 2020-05-02 ID: RUSTSEC-2020-0036 URL: https://rustsec.org/advisories/RUSTSEC-2020-0036 Dependency tree: failure 0.1.8 Crate: net2 Version: 0.2.37 Warning: unmaintained Title: `net2` crate has been deprecated; use `socket2` instead Date: 2020-05-01 ID: RUSTSEC-2020-0016 URL: https://rustsec.org/advisories/RUSTSEC-2020-0016 Dependency tree: net2 0.2.37 Crate: tempdir Version: 0.3.7 Warning: unmaintained Title: `tempdir` crate has been deprecated; use `tempfile` instead Date: 2018-02-13 ID: RUSTSEC-2018-0017 URL: https://rustsec.org/advisories/RUSTSEC-2018-0017 Dependency tree: tempdir 0.3.7 Crate: term Version: 0.5.2 Warning: unmaintained Title: term is looking for a new maintainer Date: 2018-11-19 ID: RUSTSEC-2018-0015 URL: https://rustsec.org/advisories/RUSTSEC-2018-0015 Dependency tree: term 0.5.2 error: 14 vulnerabilities found! warning: 6 allowed warnings found
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a31bb49790d79f5bc61a6d34ac23bacb9e5c0681 commit a31bb49790d79f5bc61a6d34ac23bacb9e5c0681 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-27 07:40:54 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-27 07:54:26 +0000 dev-util/sccache: add 0.5.3 Closes: https://bugs.gentoo.org/864070 Closes: https://bugs.gentoo.org/907396 Signed-off-by: Sam James <sam@gentoo.org> dev-util/sccache/Manifest | 293 ++++++++++++++++++++ dev-util/sccache/sccache-0.5.3.ebuild | 487 ++++++++++++++++++++++++++++++++++ dev-util/sccache/sccache-9999.ebuild | 57 ++-- 3 files changed, 816 insertions(+), 21 deletions(-)