Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864082 - dev-vcs/mercurial: 'cargo audit' reports one or more bundled CRATES as vulnerable
Summary: dev-vcs/mercurial: 'cargo audit' reports one or more bundled CRATES as vulner...
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-06 15:34 UTC by Agostino Sarubbo
Modified: 2022-08-06 15:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2022-08-06 15:34:50 UTC
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (149 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     crossbeam-deque
Version:   0.8.0
Title:     Data race in crossbeam-deque
Date:      2021-07-30
ID:        RUSTSEC-2021-0093
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution:  Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.8.0

Crate:     regex
Version:   1.4.2
Title:     Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:      2022-03-08
ID:        RUSTSEC-2022-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:  Upgrade to >=1.5.5
Dependency tree:
regex 1.4.2

Crate:     rust-crypto
Version:   0.2.36
Title:     Miscomputation when performing AES encryption in rust-crypto
Date:      2022-02-28
ID:        RUSTSEC-2022-0011
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0011
Solution:  No fixed upgrade is available!
Dependency tree:
rust-crypto 0.2.36

Crate:     rustc-serialize
Version:   0.3.24
Title:     Stack overflow in rustc_serialize when parsing deeply nested JSON
Date:      2022-01-01
ID:        RUSTSEC-2022-0004
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0004
Solution:  No fixed upgrade is available!
Dependency tree:
rustc-serialize 0.3.24

Crate:     sized-chunks
Version:   0.6.2
Title:     Multiple soundness issues in Chunk and InlineArray
Date:      2020-09-06
ID:        RUSTSEC-2020-0041
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0041
Solution:  Upgrade to >=0.6.3
Dependency tree:
sized-chunks 0.6.2

Crate:     thread_local
Version:   1.0.1
Title:     Data race in `Iter` and `IterMut`
Date:      2022-01-23
ID:        RUSTSEC-2022-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:  Upgrade to >=1.1.4
Dependency tree:
thread_local 1.0.1

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44

Crate:     difference
Version:   2.0.0
Warning:   unmaintained
Title:     difference is unmaintained
Date:      2020-12-20
ID:        RUSTSEC-2020-0095
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0095
Dependency tree:
difference 2.0.0

Crate:     memmap
Version:   0.7.0
Warning:   unmaintained
Title:     memmap is unmaintained
Date:      2020-12-02
ID:        RUSTSEC-2020-0077
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0077
Dependency tree:
memmap 0.7.0

Crate:     rust-crypto
Version:   0.2.36
Warning:   unmaintained
Title:     rust-crypto is unmaintained; switch to a modern alternative
Date:      2016-09-06
ID:        RUSTSEC-2016-0005
URL:       https://rustsec.org/advisories/RUSTSEC-2016-0005

error: 8 vulnerabilities found!
warning: 3 allowed warnings found