RUSTSEC-2020-0071 and 'chrono' dependency

Question

RUSTSEC-2020-0071 and 'chrono' dependency

damccull opened this issue 3 years ago · 7 comments

Hello,

Apparently the 'chrono' crate still includes its 'oldtime' feature as a default, which depends on an old version of the 'time' crate (v0.1.43) that has a vulnerability in it.
https://rustsec.org/advisories/RUSTSEC-2020-0071.html

For my own projects, I disable chrono's default features, then manually include all of the defaults except for 'oldtime', which is what the readme on chrono's repo recommends.

However, pulling in serde_aux seems to bring in chrono with the 'default' features selected, including 'oldtime'.

Any chance you could remove the 'oldtime' feature from your dependency on chrono to avoid this CVE in downstream projects?

damccull commented 3 years ago

👍

Answer 1 · 2021-10-18T05:01:55.000Z

Thanks for noticing this! I will be unable to change anything for a week from now, but after this I'll do that.

Answer 2 · 2021-10-25T08:05:01.000Z

I have just specified the features I need by explicitly mentioning them in my Cargo.toml:

[dependencies.chrono]
optional = true
version = "0.4"
features = ["alloc", "std", "clock"]

Is this enough? Or do I still need to specify no-default-features?

Answer 3 · 2021-10-25T12:04:31.000Z

Your also need to specify no-default-features because the "oldtime" feature is currently a default one, apparently for backwards compatibility.

Answer 4 · 2021-10-25T12:10:00.000Z

Should be done now.

Answer 5 · 2021-10-25T12:33:31.000Z

Neat. Thank you. What release shall we expect to see it in?

Answer 6 · 2021-10-25T12:47:12.000Z

It has already been published as 3.0.1 :) Victor Polevoy

…

On 25 Oct 2021, at 14:33, damccull ***@***.***> wrote: Neat. Thank you. What release shall we expect to see it in? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.