Closed JanZachmann closed 1 year ago
That CVE has been discussed to death already. The tl;dr is:
chrono does not use the code path in time 0.1 that triggers the error. ( https://github.com/chronotope/chrono/issues/499#issuecomment-940433677 )
chrono independently has the same bug as the one in time 0.1, which is a different CVE. (https://github.com/chronotope/chrono/issues/602#issuecomment-940445390 / https://rustsec.org/advisories/RUSTSEC-2020-0159.html)
The CVE in (2) is only encountered when using chrono's local time API, not when using its UTC time API. Also even then it only happens when using the local time API while some other part of the process is modifying env vars.
And, since we only use chrono's UTC time API, there is no code path in i-i-s that is affected.
Hi everybody
Running cargo audit points out the following vulnerability:
which is introduced here: https://github.com/Azure/iot-identity-service/blob/bc310c7b2254486ff0a0e3fcc4977b8487868b04/cert/cert-renewal/Cargo.toml#L9
A PR fixing the issue can be found here: https://github.com/Azure/iot-identity-service/pull/482