Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 864031

Summary: app-shells/nushell: 'cargo audit' reports one or more bundled CRATES as vulnerable
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2022-08-06 15:29:43 UTC 
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (575 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     openssl-src
Version:   111.20.0
Title:     AES OCB fails to encrypt some bytes
Date:      2022-07-05
ID:        RUSTSEC-2022-0032
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0032
Solution:  Upgrade to >=111.22, <300.0 OR >=300.0.9
Dependency tree:
openssl-src 111.20.0

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44

Crate:     failure
Version:   0.1.8
Warning:   unmaintained
Title:     failure is officially deprecated/unmaintained
Date:      2020-05-02
ID:        RUSTSEC-2020-0036
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0036
Dependency tree:
failure 0.1.8

Crate:     net2
Version:   0.2.37
Warning:   unmaintained
Title:     `net2` crate has been deprecated; use `socket2` instead
Date:      2020-05-01
ID:        RUSTSEC-2020-0016
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.37

Crate:     tempdir
Version:   0.3.7
Warning:   unmaintained
Title:     `tempdir` crate has been deprecated; use `tempfile` instead
Date:      2018-02-13
ID:        RUSTSEC-2018-0017
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0017
Dependency tree:
tempdir 0.3.7

error: 3 vulnerabilities found!
warning: 3 allowed warnings found