| Summary: | <dev-python/cryptography-41.0.1: 'cargo audit' reports one or more bundled CRATES as vulnerable | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | ajak, python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | C4 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
The vulnerabilities seems to have been fixed now:
sol /var/tmp/portage/dev-python/cryptography-41.0.7/work/cryptography-41.0.7 # cargo audit --file ./src/rust/Cargo.lock
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 585 security advisories (from /root/.cargo/advisory-db)
Updating crates.io index
Scanning ./src/rust/Cargo.lock for vulnerabilities (58 crate dependencies)
Crate: ouroboros
Version: 0.15.6
Warning: unsound
Title: Ouroboros is Unsound
Date: 2023-06-11
ID: RUSTSEC-2023-0042
URL: https://rustsec.org/advisories/RUSTSEC-2023-0042
Dependency tree:
ouroboros 0.15.6
└── cryptography-rust 0.1.0
warning: 1 allowed warning found
Seems like it was fixed in this commit, which is in 41.0.0:
commit eeca346f23d2595864ec3cff86d562974cff480a
Author: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue Apr 4 20:04:55 2023 +0900
upgrade rust-asn1, which removes chrono dep (#8664)
* use new rust-asn1 non-chrono path
* bump asn1
* oh yeah, remove that
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c64e048a91b0aa0d481f453db2b0de77a5123fc4 commit c64e048a91b0aa0d481f453db2b0de77a5123fc4 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 05:59:02 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-07-01 06:09:25 +0000 [ GLSA 202407-06 ] cryptography: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/769419 Bug: https://bugs.gentoo.org/864049 Bug: https://bugs.gentoo.org/893576 Bug: https://bugs.gentoo.org/918685 Bug: https://bugs.gentoo.org/925120 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202407-06.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) |
Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (45 crate dependencies) Crate: chrono Version: 0.4.19 Title: Potential segfault in `localtime_r` invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: Upgrade to >=0.4.20 Dependency tree: chrono 0.4.19 error: 1 vulnerability found!