Security: Patch Security Vulnerabilities Across Multiple Dependencies

[t4nature]

Summary

This pull request addresses several security vulnerabilities discovered through cargo audit. The vulnerabilities span across multiple crates, including h2, mio, and openssl. Each vulnerability is associated with potential security risks, including denial of service (DoS), arbitrary file read, thread safety issues, buffer over-reads, and null pointer dereference.

Details of Vulnerabilities and Solutions

1. h2: Upgraded to 0.3.24 to mitigate resource exhaustion vulnerability that could lead to DoS.
   • RUSTSEC-2024-0003
   • RUSTSEC-2023-0034
2. mio: Upgraded to 0.8.11 to resolve issues with tokens for named pipes being delivered after deregistration.
   • RUSTSEC-2024-0019
3. openssl: Upgraded to 0.10.55 to address several vulnerabilities:
   • RUSTSEC-2023-0023: Arbitrary file read through SubjectAlternativeName and ExtendedKeyUsage::other.
   • RUSTSEC-2023-0022: Thread safety issue with X509NameBuilder::build.
   • RUSTSEC-2023-0044: Buffer over-read in X509VerifyParamRef::set_host.
   • RUSTSEC-2023-0024: Null pointer dereference in X509Extension::new and X509Extension::new_nid.

Actions Taken

• Performed cargo update -p <crate_name> --precise <version> for each affected crate to ensure the least intrusive update that resolves the vulnerabilities.
• Ran cargo test post-upgrade to ensure no regressions were introduced.

Conclusion

These updates are critical for maintaining the security and integrity of the project. It is recommended to merge this PR as soon as possible to apply these security patches. Further, detailed testing and validation are advised to ensure the updates integrate smoothly with the existing codebase.

Attachment: cargo audit Output for Reference

To provide clear context and justify the necessity of the updates made in this pull request, I've included the output of cargo audit below. This output highlights the specific vulnerabilities that were addressed by the updates to h2, mio, and openssl dependencies:

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /home/obj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (210 crate dependencies)
Crate:     h2
Version:   0.3.16
Title:     Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Date:      2024-01-17
ID:        RUSTSEC-2024-0003
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0003
Solution:  Upgrade to ^0.3.24 OR >=0.4.2
Dependency tree:
h2 0.3.16
├── reqwest 0.11.14
│   ├── teloxide-core 0.9.1
│   │   └── teloxide 0.12.2
│   │       └── telegpt 0.1.0
│   ├── reqwest-eventsource 0.4.0
│   │   └── async-openai 0.9.4
│   │       └── telegpt 0.1.0
│   └── async-openai 0.9.4
└── hyper 0.14.24
    ├── reqwest 0.11.14
    └── hyper-tls 0.5.0
        └── reqwest 0.11.14

Crate:     h2
Version:   0.3.16
Title:     Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Date:      2023-04-14
ID:        RUSTSEC-2023-0034
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0034
Solution:  Upgrade to >=0.3.17

Crate:     mio
Version:   0.8.6
Title:     Tokens for named pipes may be delivered after deregistration
Date:      2024-03-04
ID:        RUSTSEC-2024-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0019
Solution:  Upgrade to >=0.8.11
Dependency tree:
mio 0.8.6
└── tokio 1.26.0
    ├── tokio-util 0.7.7
    │   ├── teloxide-core 0.9.1
    │   │   └── teloxide 0.12.2
    │   │       └── telegpt 0.1.0
    │   ├── teloxide 0.12.2
    │   ├── reqwest 0.11.14
    │   │   ├── teloxide-core 0.9.1
    │   │   ├── reqwest-eventsource 0.4.0
    │   │   │   └── async-openai 0.9.4
    │   │   │       └── telegpt 0.1.0
    │   │   └── async-openai 0.9.4
    │   ├── h2 0.3.16
    │   │   ├── reqwest 0.11.14
    │   │   └── hyper 0.14.24
    │   │       ├── reqwest 0.11.14
    │   │       └── hyper-tls 0.5.0
    │   │           └── reqwest 0.11.14
    │   └── async-openai 0.9.4
    ├── tokio-stream 0.1.12
    │   ├── teloxide 0.12.2
    │   └── async-openai 0.9.4
    ├── tokio-native-tls 0.3.1
    │   ├── reqwest 0.11.14
    │   └── hyper-tls 0.5.0
    ├── teloxide-core 0.9.1
    ├── teloxide 0.12.2
    ├── telegpt 0.1.0
    ├── reqwest 0.11.14
    ├── hyper-tls 0.5.0
    ├── hyper 0.14.24
    ├── h2 0.3.16
    ├── backoff 0.4.0
    │   └── async-openai 0.9.4
    └── async-openai 0.9.4

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read
Date:      2023-03-24
ID:        RUSTSEC-2023-0023
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0023
Solution:  Upgrade to >=0.10.48
Dependency tree:
openssl 0.10.45
└── native-tls 0.2.11
    ├── tokio-native-tls 0.3.1
    │   ├── reqwest 0.11.14
    │   │   ├── teloxide-core 0.9.1
    │   │   │   └── teloxide 0.12.2
    │   │   │       └── telegpt 0.1.0
    │   │   ├── reqwest-eventsource 0.4.0
    │   │   │   └── async-openai 0.9.4
    │   │   │       └── telegpt 0.1.0
    │   │   └── async-openai 0.9.4
    │   └── hyper-tls 0.5.0
    │       └── reqwest 0.11.14
    ├── reqwest 0.11.14
    └── hyper-tls 0.5.0

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509NameBuilder::build` returned object is not thread safe
Date:      2023-03-24
ID:        RUSTSEC-2023-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0022
Solution:  Upgrade to >=0.10.48

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509VerifyParamRef::set_host` buffer over-read
Date:      2023-06-20
ID:        RUSTSEC-2023-0044
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0044
Solution:  Upgrade to >=0.10.55

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference
Date:      2023-03-24
ID:        RUSTSEC-2023-0024
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0024
Solution:  Upgrade to >=0.10.48

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── env_logger 0.7.1
    └── pretty_env_logger 0.4.0
        └── telegpt 0.1.0

Crate:     openssl
Version:   0.10.45
Warning:   unsound
Title:     `openssl` `X509StoreRef::objects` is unsound
Date:      2023-11-23
ID:        RUSTSEC-2023-0072
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0072

Crate:     ahash
Version:   0.7.6
Warning:   yanked
Dependency tree:
ahash 0.7.6
└── hashbrown 0.12.3
    ├── indexmap 1.9.2
    │   └── h2 0.3.16
    │       ├── reqwest 0.11.14
    │       │   ├── teloxide-core 0.9.1
    │       │   │   └── teloxide 0.12.2
    │       │   │       └── telegpt 0.1.0
    │       │   ├── reqwest-eventsource 0.4.0
    │       │   │   └── async-openai 0.9.4
    │       │   │       └── telegpt 0.1.0
    │       │   └── async-openai 0.9.4
    │       └── hyper 0.14.24
    │           ├── reqwest 0.11.14
    │           └── hyper-tls 0.5.0
    │               └── reqwest 0.11.14
    └── hashlink 0.8.1
        └── rusqlite 0.28.0
            └── telegpt 0.1.0

Crate:     hermit-abi
Version:   0.3.1
Warning:   yanked
Dependency tree:
hermit-abi 0.3.1
└── is-terminal 0.4.4
    ├── env_logger 0.10.0
    │   └── telegpt 0.1.0
    └── clap 4.1.8
        └── telegpt 0.1.0

warning: 4 allowed warnings found