Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (45 crate dependencies) Crate: chrono Version: 0.4.19 Title: Potential segfault in `localtime_r` invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: Upgrade to >=0.4.20 Dependency tree: chrono 0.4.19 error: 1 vulnerability found!
The vulnerabilities seems to have been fixed now: sol /var/tmp/portage/dev-python/cryptography-41.0.7/work/cryptography-41.0.7 # cargo audit --file ./src/rust/Cargo.lock Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 585 security advisories (from /root/.cargo/advisory-db) Updating crates.io index Scanning ./src/rust/Cargo.lock for vulnerabilities (58 crate dependencies) Crate: ouroboros Version: 0.15.6 Warning: unsound Title: Ouroboros is Unsound Date: 2023-06-11 ID: RUSTSEC-2023-0042 URL: https://rustsec.org/advisories/RUSTSEC-2023-0042 Dependency tree: ouroboros 0.15.6 └── cryptography-rust 0.1.0 warning: 1 allowed warning found Seems like it was fixed in this commit, which is in 41.0.0: commit eeca346f23d2595864ec3cff86d562974cff480a Author: Paul Kehrer <paul.l.kehrer@gmail.com> Date: Tue Apr 4 20:04:55 2023 +0900 upgrade rust-asn1, which removes chrono dep (#8664) * use new rust-asn1 non-chrono path * bump asn1 * oh yeah, remove that
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c64e048a91b0aa0d481f453db2b0de77a5123fc4 commit c64e048a91b0aa0d481f453db2b0de77a5123fc4 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 05:59:02 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-07-01 06:09:25 +0000 [ GLSA 202407-06 ] cryptography: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/769419 Bug: https://bugs.gentoo.org/864049 Bug: https://bugs.gentoo.org/893576 Bug: https://bugs.gentoo.org/918685 Bug: https://bugs.gentoo.org/925120 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202407-06.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)