search

Keats / tera

A template engine for Rust based on Jinja2/Django
http://keats.github.io/tera/
MIT License
3.53k stars 282 forks source link

Potential security vulnerability in dependency (tera 1.17.1 -> chrono 0.4.23 -> time 0.1.45). #792

Closed Proksima closed 1 year ago

Proksima commented 1 year ago

Running cargo audit yield the following vulnerability: 

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── chrono 0.4.23
    ├── tera 1.17.1
    └── chrono-tz 0.6.3
        └── tera 1.17.1

error: 1 vulnerability found!

I don't mind submitting a PR if I'm given assurance it will be merged once refined to the maintainer's satisfaction.

Thank you for developing and maintaining this crate!

Keats commented 1 year ago

Yep, please submit a PR

Proksima commented 1 year ago

Okay, so after looking around I believe this issue is not actually an issue: time is an optional dependency for chrono 0.4.23 and it gets pulled in my Cargo.lock (and then picked by cargo audit) despite me not actually depending on it.

Upcoming chrono 0.5 does not seem to list the vulnerable version in its Cargo.toml anymore, but its still in alpha.

I guess I'll just close this. Sorry for the noise.