RUSTSEC-2020-0159
Closed this issue · 4 comments
Cargo audit reports the following:
client-sdk-rust]$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 405 security advisories (from /home/brian/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (151 crate dependencies)
Crate: chrono
Version: 0.4.19
Title: Potential segfault in `localtime_r` invocations
Date: 2020-11-10
ID: RUSTSEC-2020-0159
URL: https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution: No safe upgrade is available!
Dependency tree:
chrono 0.4.19
└── momento 0.1.0
Crate: time
Version: 0.1.44
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
error: 2 vulnerabilities found!
If possible, it might be better to avoid using chrono
- according to cargo tree
it looks like time 0.1.44
is only in the dependency tree due to chrono 0.4.19
. It seems that if the code can be refactored to avoid chrono
, that both RUSTSEC advisories would be addressed.
We may want to add cargo audit
into the CI workflow as well.
Just for context, we took a dependency on chrono
for supporting a new API that displays a timestamp in human-readable format and I'm not familiar with any other Rust library that can parse timestamps and calculate time deltas like chrono
does.
Looking at chronotope/chrono#499 it looks like there are some open PRs ready to be merged and fixed when chrono-0.4.20
is released which should address this
We may want to add cargo audit into the CI workflow as well.
That's a great idea, might be worth introducing as long as we are okay with overriding merges when we hit scenarios like these
I think this one can be closed at this point