Open
Bug 1895915
Opened 5 months ago
Updated 5 months ago
Audit cargo audit output
Categories
(Firefox Build System :: General, defect, P3)
Firefox Build System
General
Tracking
(Not tracked)
NEW
People
(Reporter: tjr, Unassigned)
References
Details
(Keywords: sec-audit)
Running ./mach cargo audit
on a recentish checkout gives the following output:
0:02.73 Crate: chrono
0:02.73 Version: 0.4.19
0:02.73 Title: Potential segfault in `localtime_r` invocations
0:02.73 Date: 2020-11-10
0:02.73 ID: RUSTSEC-2020-0159
0:02.73 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159
0:02.73 Solution: Upgrade to >=0.4.20
0:02.73 Dependency tree:
0:02.73 chrono 0.4.19
0:02.73 ├── suggest 0.1.0
0:02.73 │ └── gkrust-shared 0.1.0
0:02.73 │ ├── gkrust-gtest 0.1.0
0:02.73 │ └── gkrust 0.1.0
0:02.73 ├── mozilla-central-workspace-hack 0.1.0
0:02.73 │ ├── process_reader 0.1.0
0:02.73 │ │ ├── mozwer_s 0.1.0
0:02.73 │ │ └── mozannotation_server 0.1.0
0:02.73 │ │ └── gkrust-shared 0.1.0
0:02.73 │ ├── osclientcerts-static 0.1.4
0:02.73 │ ├── nmhproxy 0.1.0
0:02.73 │ ├── mozwer_s 0.1.0
0:02.73 │ ├── jsrust 0.1.0
0:02.73 │ ├── ipcclientcerts-static 0.1.0
0:02.73 │ ├── http3server 0.1.1
0:02.73 │ ├── gkrust-gtest 0.1.0
0:02.73 │ ├── gkrust 0.1.0
0:02.73 │ ├── geckodriver 0.34.0
0:02.73 │ ├── crashreporter 1.0.0
0:02.73 │ └── builtins-static 0.1.0
0:02.73 ├── glean-core 60.0.0
0:02.73 │ └── glean 60.0.0
0:02.73 │ ├── wr_glyph_rasterizer 0.1.0
0:02.73 │ │ └── webrender 0.62.0
0:02.73 │ │ └── webrender_bindings 0.1.0
0:02.73 │ │ └── gkrust-shared 0.1.0
0:02.73 │ ├── webrender 0.62.0
0:02.73 │ ├── fog_control 0.1.0
0:02.73 │ │ └── gkrust-shared 0.1.0
0:02.73 │ └── firefox-on-glean 0.1.0
0:02.73 │ ├── wr_glyph_rasterizer 0.1.0
0:02.73 │ ├── webrender 0.62.0
0:02.73 │ ├── jog 0.1.0
0:02.73 │ │ ├── gkrust-shared 0.1.0
0:02.73 │ │ └── fog-gtest 0.1.0
0:02.73 │ │ └── gkrust-gtest 0.1.0
0:02.73 │ ├── fog_control 0.1.0
0:02.73 │ ├── fog-gtest 0.1.0
0:02.73 │ └── data_storage 0.0.1
0:02.73 │ └── gkrust-shared 0.1.0
0:02.73 ├── geckodriver 0.34.0
0:02.73 └── firefox-on-glean 0.1.0
0:02.73
0:02.73 Crate: h2
0:02.73 Version: 0.3.22
0:02.73 Title: Degradation of service in h2 servers with CONTINUATION Flood
0:02.73 Date: 2024-04-03
0:02.73 ID: RUSTSEC-2024-0332
0:02.73 URL: https://rustsec.org/advisories/RUSTSEC-2024-0332
0:02.73 Solution: Upgrade to ^0.3.26 OR >=0.4.4
0:02.73 Dependency tree:
0:02.73 h2 0.3.22
0:02.73 └── hyper 0.14.24
0:02.73 ├── warp 0.3.6
0:02.73 │ ├── webdriver 0.50.0
0:02.73 │ │ └── geckodriver 0.34.0
0:02.73 │ └── crashreporter 1.0.0
0:02.73 ├── mozilla-central-workspace-hack 0.1.0
0:02.73 │ ├── process_reader 0.1.0
0:02.73 │ │ ├── mozwer_s 0.1.0
0:02.73 │ │ └── mozannotation_server 0.1.0
0:02.73 │ │ └── gkrust-shared 0.1.0
0:02.73 │ │ ├── gkrust-gtest 0.1.0
0:02.73 │ │ └── gkrust 0.1.0
0:02.73 │ ├── osclientcerts-static 0.1.4
0:02.73 │ ├── nmhproxy 0.1.0
0:02.73 │ ├── mozwer_s 0.1.0
0:02.73 │ ├── jsrust 0.1.0
0:02.73 │ ├── ipcclientcerts-static 0.1.0
0:02.73 │ ├── http3server 0.1.1
0:02.73 │ ├── gkrust-gtest 0.1.0
0:02.73 │ ├── gkrust 0.1.0
0:02.73 │ ├── geckodriver 0.34.0
0:02.73 │ ├── crashreporter 1.0.0
0:02.73 │ └── builtins-static 0.1.0
0:02.73 ├── http3server 0.1.1
0:02.73 └── geckodriver 0.34.0
0:02.73
0:02.73 Crate: h2
0:02.73 Version: 0.3.22
0:02.73 Title: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
0:02.73 Date: 2024-01-17
0:02.73 ID: RUSTSEC-2024-0003
0:02.73 URL: https://rustsec.org/advisories/RUSTSEC-2024-0003
0:02.73 Solution: Upgrade to ^0.3.24 OR >=0.4.2
0:02.73
0:02.73 Crate: owning_ref
0:02.73 Version: 0.4.1
0:02.73 Title: Multiple soundness issues in `owning_ref`
0:02.73 Date: 2022-01-26
0:02.73 ID: RUSTSEC-2022-0040
0:02.73 URL: https://rustsec.org/advisories/RUSTSEC-2022-0040
0:02.73 Solution: No fixed upgrade is available!
0:02.73 Dependency tree:
0:02.73 owning_ref 0.4.1
0:02.73 └── style 0.0.1
0:02.73 ├── stylo_tests 0.0.1
0:02.73 │ └── gkrust 0.1.0
0:02.73 └── geckoservo 0.0.1
0:02.74 └── gkrust-shared 0.1.0
0:02.74 ├── gkrust-gtest 0.1.0
0:02.74 └── gkrust 0.1.0
0:02.74
0:02.74 Crate: remove_dir_all
0:02.74 Version: 0.5.3
0:02.74 Title: Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
0:02.74 Date: 2023-02-24
0:02.74 ID: RUSTSEC-2023-0018
0:02.74 URL: https://rustsec.org/advisories/RUSTSEC-2023-0018
0:02.74 Solution: Upgrade to >=0.8.0
0:02.74 Dependency tree:
0:02.74 remove_dir_all 0.5.3
0:02.74 └── webrender_bindings 0.1.0
0:02.74 └── gkrust-shared 0.1.0
0:02.74 ├── gkrust-gtest 0.1.0
0:02.74 └── gkrust 0.1.0
0:02.74
0:02.74 Crate: self_cell
0:02.74 Version: 0.10.2
0:02.74 Title: Insufficient covariance check makes self_cell unsound
0:02.74 Date: 2023-11-10
0:02.74 ID: RUSTSEC-2023-0070
0:02.74 URL: https://rustsec.org/advisories/RUSTSEC-2023-0070
0:02.74 Solution: Upgrade to >=0.10.3, <1.0.0 OR >=1.0.2
0:02.74 Dependency tree:
0:02.74 self_cell 0.10.2
0:02.74 └── fluent-bundle 0.15.2
0:02.74 ├── l10nregistry 0.3.0
0:02.74 │ ├── localization-ffi 0.1.0
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ │ ├── gkrust-gtest 0.1.0
0:02.74 │ │ └── gkrust 0.1.0
0:02.74 │ ├── l10nregistry-ffi 0.1.0
0:02.74 │ │ ├── localization-ffi 0.1.0
0:02.74 │ │ ├── l10nregistry-ffi-gtest 0.1.0
0:02.74 │ │ │ └── gkrust-gtest 0.1.0
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ └── gkrust-shared 0.1.0
0:02.74 ├── fluent-fallback 0.7.0
0:02.74 │ ├── localization-ffi 0.1.0
0:02.74 │ ├── l10nregistry-ffi 0.1.0
0:02.74 │ ├── l10nregistry 0.3.0
0:02.74 │ └── gkrust-shared 0.1.0
0:02.74 └── fluent 0.16.0
0:02.74 ├── localization-ffi 0.1.0
0:02.74 ├── l10nregistry-ffi 0.1.0
0:02.74 ├── gkrust-shared 0.1.0
0:02.74 ├── fluent-ffi 0.1.0
0:02.74 │ ├── localization-ffi 0.1.0
0:02.74 │ ├── l10nregistry-ffi 0.1.0
0:02.74 │ └── gkrust-shared 0.1.0
0:02.74 └── crashreporter 1.0.0
0:02.74
0:02.74 Crate: shlex
0:02.74 Version: 1.1.0
0:02.74 Title: Multiple issues involving quote API
0:02.74 Date: 2024-01-21
0:02.74 ID: RUSTSEC-2024-0006
0:02.74 URL: https://rustsec.org/advisories/RUSTSEC-2024-0006
0:02.74 Solution: Upgrade to >=1.3.0
0:02.74 Dependency tree:
0:02.74 shlex 1.1.0
0:02.74 └── bindgen 0.69.4
0:02.74 ├── style 0.0.1
0:02.74 │ ├── stylo_tests 0.0.1
0:02.74 │ │ └── gkrust 0.1.0
0:02.74 │ └── geckoservo 0.0.1
0:02.74 │ └── gkrust-shared 0.1.0
0:02.74 │ ├── gkrust-gtest 0.1.0
0:02.74 │ └── gkrust 0.1.0
0:02.74 ├── pkcs11-bindings 0.1.5
0:02.74 │ ├── rsclientcerts 0.1.0
0:02.74 │ │ ├── osclientcerts-static 0.1.4
0:02.74 │ │ └── ipcclientcerts-static 0.1.0
0:02.74 │ ├── osclientcerts-static 0.1.4
0:02.74 │ ├── nss-gk-api 0.3.0
0:02.74 │ │ └── authenticator 0.4.0-alpha.24
0:02.74 │ │ └── authrs_bridge 0.1.0
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ ├── ipcclientcerts-static 0.1.0
0:02.74 │ ├── builtins-static 0.1.0
0:02.74 │ └── authenticator 0.4.0-alpha.24
0:02.74 ├── nss-gk-api 0.3.0
0:02.74 ├── neqo-crypto 0.7.5
0:02.74 │ ├── neqo_glue 0.1.0
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ ├── neqo-transport 0.7.5
0:02.74 │ │ ├── neqo_glue 0.1.0
0:02.74 │ │ ├── neqo-qpack 0.7.5
0:02.74 │ │ │ ├── neqo_glue 0.1.0
0:02.74 │ │ │ ├── neqo-http3 0.7.5
0:02.74 │ │ │ │ ├── neqo_glue 0.1.0
0:02.74 │ │ │ │ └── http3server 0.1.1
0:02.74 │ │ │ └── http3server 0.1.1
0:02.74 │ │ ├── neqo-http3 0.7.5
0:02.74 │ │ └── http3server 0.1.1
0:02.74 │ ├── neqo-qpack 0.7.5
0:02.74 │ ├── neqo-http3 0.7.5
0:02.74 │ └── http3server 0.1.1
0:02.74 ├── mozilla-central-workspace-hack 0.1.0
0:02.74 │ ├── process_reader 0.1.0
0:02.74 │ │ ├── mozwer_s 0.1.0
0:02.74 │ │ └── mozannotation_server 0.1.0
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ ├── osclientcerts-static 0.1.4
0:02.74 │ ├── nmhproxy 0.1.0
0:02.74 │ ├── mozwer_s 0.1.0
0:02.74 │ ├── jsrust 0.1.0
0:02.74 │ ├── ipcclientcerts-static 0.1.0
0:02.74 │ ├── http3server 0.1.1
0:02.74 │ ├── gkrust-gtest 0.1.0
0:02.74 │ ├── gkrust 0.1.0
0:02.74 │ ├── geckodriver 0.34.0
0:02.74 │ ├── crashreporter 1.0.0
0:02.74 │ └── builtins-static 0.1.0
0:02.74 ├── http3server 0.1.1
0:02.74 ├── gtkbind 0.1.0
0:02.74 │ └── crashreporter 1.0.0
0:02.74 ├── gecko-profiler 0.1.0
0:02.74 │ ├── webrender_bindings 0.1.0
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ ├── style 0.0.1
0:02.74 │ ├── mdns_service 0.1.1
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ ├── gkrust-shared 0.1.0
0:02.74 │ └── geckoservo 0.0.1
0:02.74 ├── coreaudio-sys 0.2.14
0:02.74 │ └── coreaudio-sys-utils 0.1.0
0:02.74 │ └── cubeb-coreaudio 0.1.0
0:02.74 │ └── gkrust-shared 0.1.0
0:02.74 ├── cocoabind 0.1.0
0:02.74 │ └── crashreporter 1.0.0
0:02.74 ├── builtins-static 0.1.0
0:02.74 └── bindgen 0.63.999
0:02.74 └── ohttp 0.3.1
0:02.74 ├── oblivious_http 0.1.0
0:02.74 │ └── gkrust-shared 0.1.0
0:02.74 └── fog_control 0.1.0
0:02.74 └── gkrust-shared 0.1.0
0:02.74
0:02.74 Crate: time
0:02.74 Version: 0.1.45
0:02.74 Title: Potential segfault in the time crate
0:02.74 Date: 2020-11-18
0:02.74 ID: RUSTSEC-2020-0071
0:02.74 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
0:02.74 Severity: 6.2 (medium)
0:02.74 Solution: Upgrade to >=0.2.23
0:02.74 Dependency tree:
0:02.74 time 0.1.45
0:02.74 ├── webrender_api 0.62.0
0:02.74 │ ├── wr_glyph_rasterizer 0.1.0
0:02.74 │ │ └── webrender 0.62.0
0:02.74 │ │ └── webrender_bindings 0.1.0
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ │ ├── gkrust-gtest 0.1.0
0:02.74 │ │ └── gkrust 0.1.0
0:02.74 │ └── webrender 0.62.0
0:02.74 ├── webrender 0.62.0
0:02.74 ├── style 0.0.1
0:02.74 │ ├── stylo_tests 0.0.1
0:02.74 │ │ └── gkrust 0.1.0
0:02.74 │ └── geckoservo 0.0.1
0:02.74 │ └── gkrust-shared 0.1.0
0:02.74 ├── glean-core 60.0.0
0:02.74 │ └── glean 60.0.0
0:02.74 │ ├── wr_glyph_rasterizer 0.1.0
0:02.74 │ ├── webrender 0.62.0
0:02.74 │ ├── fog_control 0.1.0
0:02.74 │ │ └── gkrust-shared 0.1.0
0:02.74 │ └── firefox-on-glean 0.1.0
0:02.74 │ ├── wr_glyph_rasterizer 0.1.0
0:02.75 │ ├── webrender 0.62.0
0:02.75 │ ├── jog 0.1.0
0:02.75 │ │ ├── gkrust-shared 0.1.0
0:02.75 │ │ └── fog-gtest 0.1.0
0:02.75 │ │ └── gkrust-gtest 0.1.0
0:02.75 │ ├── fog_control 0.1.0
0:02.75 │ ├── fog-gtest 0.1.0
0:02.75 │ └── data_storage 0.0.1
0:02.75 │ └── gkrust-shared 0.1.0
0:02.75 ├── chrono 0.4.19
0:02.75 │ ├── suggest 0.1.0
0:02.75 │ │ └── gkrust-shared 0.1.0
0:02.75 │ ├── mozilla-central-workspace-hack 0.1.0
0:02.75 │ │ ├── process_reader 0.1.0
0:02.75 │ │ │ ├── mozwer_s 0.1.0
0:02.75 │ │ │ └── mozannotation_server 0.1.0
0:02.75 │ │ │ └── gkrust-shared 0.1.0
0:02.75 │ │ ├── osclientcerts-static 0.1.4
0:02.75 │ │ ├── nmhproxy 0.1.0
0:02.75 │ │ ├── mozwer_s 0.1.0
0:02.75 │ │ ├── jsrust 0.1.0
0:02.75 │ │ ├── ipcclientcerts-static 0.1.0
0:02.75 │ │ ├── http3server 0.1.1
0:02.75 │ │ ├── gkrust-gtest 0.1.0
0:02.75 │ │ ├── gkrust 0.1.0
0:02.75 │ │ ├── geckodriver 0.34.0
0:02.75 │ │ ├── crashreporter 1.0.0
0:02.75 │ │ └── builtins-static 0.1.0
0:02.75 │ ├── glean-core 60.0.0
0:02.75 │ ├── geckodriver 0.34.0
0:02.75 │ └── firefox-on-glean 0.1.0
0:02.75 └── cert_storage 0.0.1
0:02.75 └── gkrust-shared 0.1.0
0:02.75
0:02.75 Crate: mach
0:02.75 Version: 0.3.2
0:02.75 Warning: unmaintained
0:02.75 Title: mach is unmaintained
0:02.75 Date: 2020-07-14
0:02.75 ID: RUSTSEC-2020-0168
0:02.75 URL: https://rustsec.org/advisories/RUSTSEC-2020-0168
0:02.75 Dependency tree:
0:02.75 mach 0.3.2
0:02.75 ├── cubeb-coreaudio 0.1.0
0:02.75 │ └── gkrust-shared 0.1.0
0:02.75 │ ├── gkrust-gtest 0.1.0
0:02.75 │ └── gkrust 0.1.0
0:02.75 └── audio_thread_priority 0.32.0
0:02.75 ├── gkrust-shared 0.1.0
0:02.75 ├── audioipc2-server 0.6.0
0:02.75 │ └── gkrust-shared 0.1.0
0:02.75 ├── audioipc2-client 0.6.0
0:02.75 │ └── gkrust-shared 0.1.0
0:02.75 └── audioipc2 0.6.0
0:02.75 ├── audioipc2-server 0.6.0
0:02.75 └── audioipc2-client 0.6.0
0:02.75
0:02.75 Crate: net2
0:02.75 Version: 0.2.38
0:02.75 Warning: unmaintained
0:02.75 Title: `net2` crate has been deprecated; use `socket2` instead
0:02.75 Date: 2020-05-01
0:02.75 ID: RUSTSEC-2020-0016
0:02.75 URL: https://rustsec.org/advisories/RUSTSEC-2020-0016
0:02.75 Dependency tree:
0:02.75 net2 0.2.38
0:02.75 └── mio 0.6.23
0:02.75 ├── mio-extras 2.0.6
0:02.75 │ └── http3server 0.1.1
0:02.75 └── http3server 0.1.1
0:02.75
0:02.75 Crate: safemem
0:02.75 Version: 0.3.3
0:02.75 Warning: unmaintained
0:02.75 Title: safemem is unmaintained
0:02.75 Date: 2023-02-14
0:02.75 ID: RUSTSEC-2023-0081
0:02.75 URL: https://rustsec.org/advisories/RUSTSEC-2023-0081
0:02.75 Dependency tree:
0:02.75 safemem 0.3.3
0:02.75 └── line-wrap 0.1.1
0:02.75 └── plist 1.3.1
0:02.75 └── mozrunner 0.15.2
0:02.75 └── geckodriver 0.34.0
0:02.75
0:02.75 Crate: serde_cbor
0:02.75 Version: 0.11.2
0:02.75 Warning: unmaintained
0:02.75 Title: serde_cbor is unmaintained
0:02.75 Date: 2021-08-15
0:02.75 ID: RUSTSEC-2021-0127
0:02.75 URL: https://rustsec.org/advisories/RUSTSEC-2021-0127
0:02.75 Dependency tree:
0:02.75 serde_cbor 0.11.2
0:02.75 ├── authrs_bridge 0.1.0
0:02.75 │ └── gkrust-shared 0.1.0
0:02.75 │ ├── gkrust-gtest 0.1.0
0:02.75 │ └── gkrust 0.1.0
0:02.75 └── authenticator 0.4.0-alpha.24
0:02.75 └── authrs_bridge 0.1.0
0:02.75
0:02.75 Crate: yaml-rust
0:02.75 Version: 0.4.5
0:02.75 Warning: unmaintained
0:02.75 Title: yaml-rust is unmaintained.
0:02.75 Date: 2024-03-20
0:02.75 ID: RUSTSEC-2024-0320
0:02.75 URL: https://rustsec.org/advisories/RUSTSEC-2024-0320
0:02.75 Dependency tree:
0:02.75 yaml-rust 0.4.5
0:02.75 ├── serde_yaml 0.8.26
0:02.75 │ └── geckodriver 0.34.0
0:02.75 └── crashreporter 1.0.0
0:02.75
0:02.75 Crate: crossbeam-channel
0:02.75 Version: 0.5.6
0:02.75 Warning: yanked
0:02.75 Dependency tree:
0:02.75 crossbeam-channel 0.5.6
0:02.75 ├── webrender_api 0.62.0
0:02.75 │ ├── wr_glyph_rasterizer 0.1.0
0:02.75 │ │ └── webrender 0.62.0
0:02.75 │ │ └── webrender_bindings 0.1.0
0:02.75 │ │ └── gkrust-shared 0.1.0
0:02.75 │ │ ├── gkrust-gtest 0.1.0
0:02.75 │ │ └── gkrust 0.1.0
0:02.75 │ └── webrender 0.62.0
0:02.75 └── glean-core 60.0.0
0:02.75 └── glean 60.0.0
0:02.75 ├── wr_glyph_rasterizer 0.1.0
0:02.75 ├── webrender 0.62.0
0:02.75 ├── fog_control 0.1.0
0:02.75 │ └── gkrust-shared 0.1.0
0:02.75 └── firefox-on-glean 0.1.0
0:02.75 ├── wr_glyph_rasterizer 0.1.0
0:02.75 ├── webrender 0.62.0
0:02.75 ├── jog 0.1.0
0:02.75 │ ├── gkrust-shared 0.1.0
0:02.75 │ └── fog-gtest 0.1.0
0:02.75 │ └── gkrust-gtest 0.1.0
0:02.75 ├── fog_control 0.1.0
0:02.75 ├── fog-gtest 0.1.0
0:02.75 └── data_storage 0.0.1
0:02.75 └── gkrust-shared 0.1.0
0:02.75
0:02.75 Crate: self_cell
0:02.75 Version: 0.10.2
0:02.75 Warning: yanked
0:02.75
0:02.75 error: 8 vulnerabilities found!
0:02.75 warning: 7 allowed warnings found
That's issues in
- chrono - https://rustsec.org/advisories/RUSTSEC-2020-0159
- h2 (2) - https://rustsec.org/advisories/RUSTSEC-2024-0332 and https://rustsec.org/advisories/RUSTSEC-2024-0003
- owning_ref (Bug 1894756) - https://rustsec.org/advisories/RUSTSEC-2022-0040
- remove_dir_all - https://rustsec.org/advisories/RUSTSEC-2023-0018
- self_cell (2) - https://rustsec.org/advisories/RUSTSEC-2023-0070 and 'yanked'
- shlex - https://rustsec.org/advisories/RUSTSEC-2024-0006
- time - https://rustsec.org/advisories/RUSTSEC-2020-0071
- mach - unmaintained - https://rustsec.org/advisories/RUSTSEC-2020-0168
- net2 - deprecated, succeeded by socket2 - https://rustsec.org/advisories/RUSTSEC-2020-0016
- safemem - unmaintained - https://rustsec.org/advisories/RUSTSEC-2023-0081
- serde_cbor - unmaintained - https://rustsec.org/advisories/RUSTSEC-2021-0127
- yaml-rust - unmaintained - https://rustsec.org/advisories/RUSTSEC-2024-0320
- crossbeam-channel - 'yanked'
Reporter | ||
Updated•5 months ago
|
Component: Audio/Video: Recording → General
Product: Core → Firefox Build System
Reporter | ||
Comment 1•5 months ago
|
||
- chrono: looks like a dos to me
- h2 - DOS
- owning_ref - see 1894756
- remove_dir_all - Should probably fix this
- self_cell - should probably fix this, but unlikely to be a problem
- shlex - should probably fix this, but unlikely to be a problem
- time - looks like a dos to me
- mach - should consider migrating?
- net2 - looks like mio uses this and we'd need to upgrade or resolve that situation
- safemem - looks like we can eliminate this dependency with a few different built-in functions now
- serde-cbor - used in
webauthn/authrs_bridge
and has been audited, but this either is exposed to attacker input or eventually will be I imagine, so itd be good to get to a maintained version - yaml-rust - looks like its used by
rust/serde_yaml/
- it's been audited by someone whose audit we pulled in. - crossbeam-channel - a couple years out of date on this, although no known vulns
Reporter | ||
Comment 2•5 months ago
|
||
Can we run cargo audit in the build system?
Comment 3•5 months ago
|
||
(In reply to Tom Ritter [:tjr] from comment #2)
Can we run cargo audit in the build system?
You can run mach cargo audit
(In reply to Tom Ritter [:tjr] from comment #1)
- chrono: looks like a dos to me
We have tons of other localtime_r uses. Fixing chrono is not going to more the needle one bit. OTOH, IIRC, upgrading chrono causes problems, which is essentially why it hasn't been updated.
- h2 - DOS
- owning_ref - see 1894756
- remove_dir_all - Should probably fix this
- self_cell - should probably fix this, but unlikely to be a problem
- shlex - should probably fix this, but unlikely to be a problem
- time - looks like a dos to me
- mach - should consider migrating?
- net2 - looks like mio uses this and we'd need to upgrade or resolve that situation
- safemem - looks like we can eliminate this dependency with a few different built-in functions now
- serde-cbor - used in
webauthn/authrs_bridge
and has been audited, but this either is exposed to attacker input or eventually will be I imagine, so itd be good to get to a maintained version- yaml-rust - looks like its used by
rust/serde_yaml/
- it's been audited by someone whose audit we pulled in.- crossbeam-channel - a couple years out of date on this, although no known vulns
It's kind of sad that "unmaintained" is a security issue for RUSTSEC...
Updated•5 months ago
|
Severity: -- → S3
Priority: -- → P3
You need to log in
before you can comment on or make changes to this bug.
Description
•