Description Agostino Sarubbo 2022-08-06 15:33:47 UTC

Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (382 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     crossbeam-deque
Version:   0.7.3
Title:     Data race in crossbeam-deque
Date:      2021-07-30
ID:        RUSTSEC-2021-0093
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution:  Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.7.3

Crate:     hyper
Version:   0.12.35
Title:     Multiple Transfer-Encoding headers misinterprets request payload
Date:      2021-02-05
ID:        RUSTSEC-2021-0020
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0020
Solution:  Upgrade to >=0.14.3 OR ^0.13.10 OR ^0.12.36
Dependency tree:
hyper 0.12.35

Crate:     hyper
Version:   0.12.35
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Solution:  Upgrade to >=0.14.10

Crate:     hyper
Version:   0.12.35
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Solution:  Upgrade to >=0.14.10

Crate:     nix
Version:   0.19.1
Title:     Out-of-bounds write in nix::unistd::getgrouplist
Date:      2021-09-27
ID:        RUSTSEC-2021-0119
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution:  Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.19.1

Crate:     regex
Version:   1.4.2
Title:     Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:      2022-03-08
ID:        RUSTSEC-2022-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:  Upgrade to >=1.5.5
Dependency tree:
regex 1.4.2

Crate:     smallvec
Version:   0.6.13
Title:     Buffer overflow in SmallVec::insert_many
Date:      2021-01-08
ID:        RUSTSEC-2021-0003
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0003
Solution:  Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1
Dependency tree:
smallvec 0.6.13

Crate:     tar
Version:   0.4.30
Title:     Links in archive can create arbitrary directories
Date:      2021-07-19
ID:        RUSTSEC-2021-0080
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0080
Solution:  Upgrade to >=0.4.36
Dependency tree:
tar 0.4.30

Crate:     thread_local
Version:   1.1.0
Title:     Data race in `Iter` and `IterMut`
Date:      2022-01-23
ID:        RUSTSEC-2022-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:  Upgrade to >=1.1.4
Dependency tree:
thread_local 1.1.0

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44

Crate:     tiny_http
Version:   0.6.2
Title:     HTTP Request smuggling through malformed Transfer Encoding headers
Date:      2020-06-16
ID:        RUSTSEC-2020-0031
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0031
Solution:  Upgrade to >=0.8.0 OR ^0.6.3
Dependency tree:
tiny_http 0.6.2

Crate:     tokio
Version:   0.1.22
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree:
tokio 0.1.22

Crate:     tokio
Version:   0.2.24
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree:
tokio 0.2.24

Crate:     cpuid-bool
Version:   0.1.2
Warning:   unmaintained
Title:     `cpuid-bool` has been renamed to `cpufeatures`
Date:      2021-05-06
ID:        RUSTSEC-2021-0064
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0064
Dependency tree:
cpuid-bool 0.1.2

Crate:     difference
Version:   2.0.0
Warning:   unmaintained
Title:     difference is unmaintained
Date:      2020-12-20
ID:        RUSTSEC-2020-0095
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0095
Dependency tree:
difference 2.0.0

Crate:     failure
Version:   0.1.8
Warning:   unmaintained
Title:     failure is officially deprecated/unmaintained
Date:      2020-05-02
ID:        RUSTSEC-2020-0036
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0036
Dependency tree:
failure 0.1.8

Crate:     net2
Version:   0.2.37
Warning:   unmaintained
Title:     `net2` crate has been deprecated; use `socket2` instead
Date:      2020-05-01
ID:        RUSTSEC-2020-0016
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.37

Crate:     tempdir
Version:   0.3.7
Warning:   unmaintained
Title:     `tempdir` crate has been deprecated; use `tempfile` instead
Date:      2018-02-13
ID:        RUSTSEC-2018-0017
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0017
Dependency tree:
tempdir 0.3.7

Crate:     term
Version:   0.5.2
Warning:   unmaintained
Title:     term is looking for a new maintainer
Date:      2018-11-19
ID:        RUSTSEC-2018-0015
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.5.2

error: 14 vulnerabilities found!
warning: 6 allowed warnings found