Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo audit reported vulnerabilities in 2.12.0 #505

Open
cataggar opened this issue Jul 5, 2022 · 4 comments
Open

cargo audit reported vulnerabilities in 2.12.0 #505

cataggar opened this issue Jul 5, 2022 · 4 comments

Comments

@cataggar
Copy link

cataggar commented Jul 5, 2022

http-types 2.12.0 is the latest version. The default features pull in dependencies with reported vulnerabilities.

Steps to reproduce. The cargo check will create the Cargo.lock that cargo audit uses.

git checkout tags/v2.12.0
cargo check
cargo audit

PS C:\Users\cataggar\io\http-types> cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 421 security advisories (from C:\Users\cataggar\.cargo\advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (135 crate dependencies)
Crate:         aes-soft
Version:       0.6.4
Warning:       unmaintained
Title:         `aes-soft` has been merged into the `aes` crate
Date:          2021-04-29
ID:            RUSTSEC-2021-0060
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0060
Dependency tree:
aes-soft 0.6.4
└── aes 0.6.0
    └── aes-gcm 0.8.0
        └── cookie 0.14.4
            └── http-types 2.12.0

Crate:         aesni
Version:       0.10.0
Warning:       unmaintained
Title:         `aesni` has been merged into the `aes` crate
Date:          2021-04-29
ID:            RUSTSEC-2021-0059
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0059
Dependency tree:
aesni 0.10.0
└── aes 0.6.0
    └── aes-gcm 0.8.0
        └── cookie 0.14.4
            └── http-types 2.12.0

Crate:         cpuid-bool
Version:       0.2.0
Warning:       unmaintained
Title:         `cpuid-bool` has been renamed to `cpufeatures`
Date:          2021-05-06
ID:            RUSTSEC-2021-0064
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0064
Dependency tree:
cpuid-bool 0.2.0
└── polyval 0.4.5
    └── ghash 0.3.1
        └── aes-gcm 0.8.0
            └── cookie 0.14.4
                └── http-types 2.12.0

Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27
    └── cookie 0.14.4
        └── http-types 2.12.0

warning: 4 allowed warnings found
@cataggar
Copy link
Author

cataggar commented Jul 5, 2022

The main branch updates to cookie v0.14.4 -> v0.16.0 and does not have the vulnerabilities. It would be good to publish a new version.

@cataggar
Copy link
Author

cataggar commented Jul 5, 2022

An alternative is to disable the optional feature.

http-types = { version = "2.12", default-features = false }

@ctaggart ctaggart mentioned this issue Jul 5, 2022
Merged
@JohnTitor JohnTitor mentioned this issue Jul 21, 2022
Merged
@Dentosal
Copy link

Dentosal commented Nov 9, 2022

@jbr @yoshuawuyts @Fishrock123 Could one of you make a new release so this can be closed?

@djc djc mentioned this issue Nov 25, 2022
Closed
@expenses
Copy link

I am once again asking for a new release 😄

@expenses expenses mentioned this issue May 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Dentosal @expenses @cataggar