Open
Description
Currently mbedtls has a bunch of outdated dependencies, some of which containing vulnerabilities:
cargo outdated|grep -v Removed
mbedtls
================
Name Project Compat Latest Kind Platform
---- ------- ------ ------ ---- --------
bit-vec 0.5.1 --- 0.6.3 Normal ---
bitflags 1.3.2 --- 2.5.0 Normal ---
hex 0.3.2 --- 0.4.3 Development ---
hyper 0.10.16 --- 1.3.1 Development ---
num-bigint 0.2.6 --- 0.4.5 Normal ---
rand 0.4.6 --- 0.8.5 Development ---
rand_core 0.3.1 --- 0.6.4 Normal cfg(target_env = "sgx")
serde_cbor 0.6.1 --- 0.11.2 Development ---
yasna 0.2.2 --- 0.5.2 Normal ---
mbedtls-platform-support
================
Name Project Compat Latest Kind Platform
---- ------- ------ ------ ---- --------
spin 0.5.2 --- 0.9.8 Normal ---
mbedtls-sys-auto
================
Name Project Compat Latest Kind Platform
---- ------- ------ ------ ---- --------
bindgen 0.65.1 --- 0.69.4 Build ---
bitflags 1.3.2 --- 2.5.0 Normal ---
syn 1.0.109 --- 2.0.66 Build ---
cargo audit
Crate: hyper
Version: 0.10.16
Title: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date: 2021-07-07
ID: RUSTSEC-2021-0078
URL: https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity: 5.3 (medium)
Solution: Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
└── mbedtls 0.12.3
Crate: hyper
Version: 0.10.16
Title: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date: 2021-07-07
ID: RUSTSEC-2021-0079
URL: https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity: 9.1 (critical)
Solution: Upgrade to >=0.14.10
Crate: serde_cbor
Version: 0.6.1
Title: Flaw in CBOR deserializer allows stack overflow
Date: 2019-10-03
ID: RUSTSEC-2019-0025
URL: https://rustsec.org/advisories/RUSTSEC-2019-0025
Severity: 7.5 (high)
Solution: Upgrade to >=0.10.2
Dependency tree:
serde_cbor 0.6.1
└── mbedtls 0.12.3
Crate: time
Version: 0.1.45
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity: 6.2 (medium)
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── hyper 0.10.16
└── mbedtls 0.12.3
Crate: safemem
Version: 0.3.3
Warning: unmaintained
Title: safemem is unmaintained
Date: 2023-02-14
ID: RUSTSEC-2023-0081
URL: https://rustsec.org/advisories/RUSTSEC-2023-0081
Dependency tree:
safemem 0.3.3
└── base64 0.9.3
└── hyper 0.10.16
└── mbedtls 0.12.3
Crate: serde_cbor
Version: 0.6.1
Warning: unmaintained
Title: serde_cbor is unmaintained
Date: 2021-08-15
ID: RUSTSEC-2021-0127
URL: https://rustsec.org/advisories/RUSTSEC-2021-0127
Crate: traitobject
Version: 0.1.0
Warning: unmaintained
Title: traitobject is Unmaintained
Date: 2021-10-04
ID: RUSTSEC-2021-0144
URL: https://rustsec.org/advisories/RUSTSEC-2021-0144
Dependency tree:
traitobject 0.1.0
└── hyper 0.10.16
└── mbedtls 0.12.3
Crate: hyper
Version: 0.10.16
Warning: unsound
Title: Parser creates invalid uninitialized value
Date: 2022-05-10
ID: RUSTSEC-2022-0022
URL: https://rustsec.org/advisories/RUSTSEC-2022-0022
Crate: traitobject
Version: 0.1.0
Warning: unsound
Title: traitobject assumes the layout of fat pointers
Date: 2020-06-01
ID: RUSTSEC-2020-0027
URL: https://rustsec.org/advisories/RUSTSEC-2020-0027
Severity: 9.8 (critical)
error: 4 vulnerabilities found!
warning: 5 allowed warnings foun
Metadata
Metadata
Assignees
Labels
No labels