advisories FAILED: 10 errors, 1 warnings, 0 notes
```console
error[unmaintained]: `atty` is unmaintained
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:29:1
│
29 │ atty 0.2.14 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
│
├ ID: RUSTSEC-2024-0375
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0375
├ The maintainer of `atty` has [published](https://github.com/softprops/atty/commit/5bfdbe9e48c6ca6a4909e8d5b04f5e843a257e93) an official notice that the crate is no longer
under development, and that users should instead rely on the functionality in the standard library's [`IsTerminal`](https://doc.rust-lang.org/std/io/trait.IsTerminal.html) trait.
## Alternative(s)
- [std::io::IsTerminal](https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html) - Stable since Rust 1.70.0 and the recommended replacement per the `atty` maintainer.
- [is-terminal](https://crates.io/crates/is-terminal) - Standalone crate supporting Rust older than 1.70.0
├ Announcement: https://github.com/softprops/atty/issues/57
├ Solution: No safe upgrade is available!
├ atty v0.2.14
└── clap v3.2.22
└── cbindgen v0.24.3
└── xtask v0.0.0
error[unsound]: Potential unaligned read
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:29:1
│
29 │ atty 0.2.14 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
│
├ ID: RUSTSEC-2021-0145
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0145
├ On windows, `atty` dereferences a potentially unaligned pointer.
In practice however, the pointer won't be unaligned unless a custom global allocator is used.
In particular, the `System` allocator on windows uses `HeapAlloc`, which guarantees a large enough alignment.
# atty is Unmaintained
A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.
Last release of `atty` was almost 3 years ago.
## Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
- [std::io::IsTerminal](https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html) - Stable since Rust 1.70.0
- [is-terminal](https://crates.io/crates/is-terminal) - Standalone crate supporting Rust older than 1.70.0
├ Announcement: https://github.com/softprops/atty/issues/50
├ Solution: No safe upgrade is available!
├ atty v0.2.14
└── clap v3.2.22
└── cbindgen v0.24.3
└── xtask v0.0.0
error[vulnerability]: Degradation of service in h2 servers with CONTINUATION Flood
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1
│
151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2024-0332
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0332
├ An attacker can send a flood of CONTINUATION frames, causing `h2` to process them indefinitely.
This results in an increase in CPU usage.
Tokio task budget helps prevent this from a complete denial-of-service, as the server can still
respond to legitimate requests, albeit with increased latency.
More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
Patches available for 0.4.x and 0.3.x versions.
├ Solution: Upgrade to ^0.3.26 OR >=0.4.4 (try `cargo update -p h2`)
├ h2 v0.3.15
├── hyper v0.14.23
│ ├── hyper-rustls v0.23.2
│ │ └── reqwest v0.11.13
│ │ ├── downloader v0.0.0
│ │ ├── octocrab v0.19.0
│ │ │ └── downloader v0.0.0 (*)
│ │ └── (build) test_util v0.0.0
│ │ ├── (dev) voicevox_core v0.0.0
│ │ │ ├── voicevox_core_c_api v0.0.0
│ │ │ ├── voicevox_core_java_api v0.0.0
│ │ │ └── voicevox_core_python_api v0.0.0
│ │ └── (dev) voicevox_core_c_api v0.0.0 (*)
│ └── reqwest v0.11.13 (*)
└── reqwest v0.11.13 (*)
error[vulnerability]: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1
│
151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2024-0003
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0003
├ An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
generation of reset frames on the victim endpoint.
By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
resulting in Out Of Memory (OOM) and high CPU usage.
This fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of
internal error resets emitted by default before the connection is closed.
├ Solution: Upgrade to ^0.3.24 OR >=0.4.2 (try `cargo update -p h2`)
├ h2 v0.3.15
├── hyper v0.14.23
│ ├── hyper-rustls v0.23.2
│ │ └── reqwest v0.11.13
│ │ ├── downloader v0.0.0
│ │ ├── octocrab v0.19.0
│ │ │ └── downloader v0.0.0 (*)
│ │ └── (build) test_util v0.0.0
│ │ ├── (dev) voicevox_core v0.0.0
│ │ │ ├── voicevox_core_c_api v0.0.0
│ │ │ ├── voicevox_core_java_api v0.0.0
│ │ │ └── voicevox_core_python_api v0.0.0
│ │ └── (dev) voicevox_core_c_api v0.0.0 (*)
│ └── reqwest v0.11.13 (*)
└── reqwest v0.11.13 (*)
error[vulnerability]: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1
│
151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2023-0034
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0034
├ If an attacker is able to flood the network with pairs of `HEADERS`/`RST_STREAM` frames, such that the `h2` application is not able to accept them faster than the bytes are received, the pending accept queue can grow in memory usage. Being able to do this consistently can result in excessive memory use, and eventually trigger Out Of Memory.
This flaw is corrected in [hyperium/h2#668](https://github.com/hyperium/h2/pull/668), which restricts remote reset stream count by default.
├ Announcement: https://github.com/hyperium/hyper/issues/2877
├ Solution: Upgrade to >=0.3.17 (try `cargo update -p h2`)
├ h2 v0.3.15
├── hyper v0.14.23
│ ├── hyper-rustls v0.23.2
│ │ └── reqwest v0.11.13
│ │ ├── downloader v0.0.0
│ │ ├── octocrab v0.19.0
│ │ │ └── downloader v0.0.0 (*)
│ │ └── (build) test_util v0.0.0
│ │ ├── (dev) voicevox_core v0.0.0
│ │ │ ├── voicevox_core_c_api v0.0.0
│ │ │ ├── voicevox_core_java_api v0.0.0
│ │ │ └── voicevox_core_python_api v0.0.0
│ │ └── (dev) voicevox_core_c_api v0.0.0 (*)
│ └── reqwest v0.11.13 (*)
└── reqwest v0.11.13 (*)
error[unmaintained]: proc-macro-error is unmaintained
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:273:1
│
273 │ proc-macro-error 1.0.4 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
│
├ ID: RUSTSEC-2024-0370
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0370
├ proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.
proc-macro-error also depends on `syn 1.x`, which may be bringing duplicate dependencies into dependant build trees.
## Possible Alternative(s)
- [manyhow](https://crates.io/crates/manyhow)
- [proc-macro-error2](https://crates.io/crates/proc-macro-error2)
- [proc-macro2-diagnostics](https://github.com/SergioBenitez/proc-macro2-diagnostics)
├ Announcement: https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20
├ Solution: No safe upgrade is available!
├ proc-macro-error v1.0.4
└── duplicate v1.0.0
├── voicevox_core v0.0.0
│ ├── voicevox_core_c_api v0.0.0
│ ├── voicevox_core_java_api v0.0.0
│ └── voicevox_core_python_api v0.0.0
├── voicevox_core_c_api v0.0.0 (*)
└── voicevox_core_java_api v0.0.0 (*)
error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:309:1
│
309 │ rustls 0.20.6 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2024-0336
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336
├ If a `close_notify` alert is received during a handshake, `complete_io`
does not terminate.
Callers which do not call `complete_io` are not affected.
`rustls-tokio` and `rustls-ffi` do not call `complete_io`
and are not affected.
`rustls::Stream` and `rustls::StreamOwned` types use
`complete_io` and are affected.
├ Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
├ Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`)
├ rustls v0.20.6
├── hyper-rustls v0.23.2
│ └── reqwest v0.11.13
│ ├── downloader v0.0.0
│ ├── octocrab v0.19.0
│ │ └── downloader v0.0.0 (*)
│ └── (build) test_util v0.0.0
│ ├── (dev) voicevox_core v0.0.0
│ │ ├── voicevox_core_c_api v0.0.0
│ │ ├── voicevox_core_java_api v0.0.0
│ │ └── voicevox_core_python_api v0.0.0
│ └── (dev) voicevox_core_c_api v0.0.0 (*)
├── reqwest v0.11.13 (*)
└── tokio-rustls v0.23.4
├── hyper-rustls v0.23.2 (*)
└── reqwest v0.11.13 (*)
error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:310:1
│
310 │ rustls 0.21.7 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2024-0336
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336
├ If a `close_notify` alert is received during a handshake, `complete_io`
does not terminate.
Callers which do not call `complete_io` are not affected.
`rustls-tokio` and `rustls-ffi` do not call `complete_io`
and are not affected.
`rustls::Stream` and `rustls::StreamOwned` types use
`complete_io` and are affected.
├ Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
├ Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`)
├ rustls v0.21.7
└── ureq v2.8.0
└── (build) voicevox-ort-sys v2.0.0-rc.4
└── voicevox-ort v2.0.0-rc.4
├── (build) test_util v0.0.0
│ ├── (dev) voicevox_core v0.0.0
│ │ ├── voicevox_core_c_api v0.0.0
│ │ ├── voicevox_core_java_api v0.0.0
│ │ └── voicevox_core_python_api v0.0.0
│ └── (dev) voicevox_core_c_api v0.0.0 (*)
├── voicevox_core v0.0.0 (*)
└── (dev) voicevox_core_c_api v0.0.0 (*)
error[vulnerability]: Multiple issues involving quote API
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:336:1
│
336 │ shlex 1.1.0 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2024-0006
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0006
├ ## Issue 1: Failure to quote characters
Affected versions of this crate allowed the bytes `{` and `\xa0` to appear
unquoted and unescaped in command arguments.
If the output of `quote` or `join` is passed to a shell, then what should be a
single command argument could be interpreted as multiple arguments.
This does not *directly* allow arbitrary command execution (you can't inject a
command substitution or similar). But depending on the command you're running,
being able to inject multiple arguments where only one is expected could lead
to undesired consequences, potentially including arbitrary command execution.
The flaw was corrected in version 1.2.1 by escaping additional characters.
Updating to 1.3.0 is recommended, but 1.2.1 offers a more minimal fix if
desired.
Workaround: Check for the bytes `{` and `\xa0` in `quote`/`join` input or
output.
(Note: `{` is problematic because it is used for glob expansion. `\xa0` is
problematic because it's treated as a word separator in [specific
environments][solved-xa0].)
## Issue 2: Dangerous API w.r.t. nul bytes
Version 1.3.0 deprecates the `quote` and `join` APIs in favor of `try_quote`
and `try_join`, which behave the same except that they have `Result` return
type, returning `Err` if the input contains nul bytes.
Strings containing nul bytes generally cannot be used in Unix command arguments
or environment variables, and most shells cannot handle nul bytes even
internally. If you try to pass one anyway, then the results might be
security-sensitive in uncommon scenarios. [More details here.][nul-bytes]
Due to the low severity, the behavior of the original `quote` and `join` APIs
has not changed; they continue to allow nuls.
Workaround: Manually check for nul bytes in `quote`/`join` input or output.
## Issue 3: Lack of documentation for interactive shell risks
The `quote` family of functions does not and cannot escape control characters.
With non-interactive shells this is perfectly safe, as control characters have
no special effect. But if you writing directly to the standard input of an
interactive shell (or through a pty), then control characters [can cause
misbehavior including arbitrary command injection.][control-characters]
This is essentially unfixable, and has not been patched. But as of version
1.3.0, documentation has been added.
Future versions of `shlex` may add API variants that avoid the issue at the
cost of reduced portability.
[solved-xa0]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#solved-xa0
[nul-bytes]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#nul-bytes
[control-characters]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#control-characters-interactive-contexts-only
├ Announcement: https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27
├ Solution: Upgrade to >=1.3.0 (try `cargo update -p shlex`)
├ shlex v1.1.0
├── bindgen v0.62.0
│ └── (build) open_jtalk-sys v0.16.111
│ └── open_jtalk v0.1.25
│ └── voicevox_core v0.0.0
│ ├── voicevox_core_c_api v0.0.0
│ ├── voicevox_core_java_api v0.0.0
│ └── voicevox_core_python_api v0.0.0
└── bindgen v0.69.4
└── (build) test_util v0.0.0
├── (dev) voicevox_core v0.0.0 (*)
└── (dev) voicevox_core_c_api v0.0.0 (*)
error[vulnerability]: webpki: CPU denial of service in certificate path building
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:425:1
│
425 │ webpki 0.22.0 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2023-0052
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052
├ When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
This was previously reported in
and re-reported recently
by Luke Malinowski.
webpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes.
├ Solution: Upgrade to >=0.22.2 (try `cargo update -p webpki`)
├ webpki v0.22.0
├── rustls v0.20.6
│ ├── hyper-rustls v0.23.2
│ │ └── reqwest v0.11.13
│ │ ├── downloader v0.0.0
│ │ ├── octocrab v0.19.0
│ │ │ └── downloader v0.0.0 (*)
│ │ └── (build) test_util v0.0.0
│ │ ├── (dev) voicevox_core v0.0.0
│ │ │ ├── voicevox_core_c_api v0.0.0
│ │ │ ├── voicevox_core_java_api v0.0.0
│ │ │ └── voicevox_core_python_api v0.0.0
│ │ └── (dev) voicevox_core_c_api v0.0.0 (*)
│ ├── reqwest v0.11.13 (*)
│ └── tokio-rustls v0.23.4
│ ├── hyper-rustls v0.23.2 (*)
│ └── reqwest v0.11.13 (*)
├── tokio-rustls v0.23.4 (*)
└── webpki-roots v0.22.5
└── reqwest v0.11.13 (*)
warning[yanked]: detected yanked crate (try `cargo update -p textwrap`)
┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:370:1
│
370 │ textwrap 0.15.1 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ yanked version
│
├ textwrap v0.15.1
└── clap v3.2.22
└── cbindgen v0.24.3
└── xtask v0.0.0
advisories FAILED: 10 errors, 1 warnings, 0 notes
```
内容
以下のクレートのバージョンを上げ、
cargo deny check advisoriesに通るようにする。cbindgenだけ必要最低限を超えて最新版までアップデートしているが、これはこの後すぐ #782 をやりたいため。
関連 Issue
855
その他
```console error[unmaintained]: `atty` is unmaintained ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:29:1 │ 29 │ atty 0.2.14 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected │ ├ ID: RUSTSEC-2024-0375 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0375 ├ The maintainer of `atty` has [published](https://github.com/softprops/atty/commit/5bfdbe9e48c6ca6a4909e8d5b04f5e843a257e93) an official notice that the crate is no longer under development, and that users should instead rely on the functionality in the standard library's [`IsTerminal`](https://doc.rust-lang.org/std/io/trait.IsTerminal.html) trait. ## Alternative(s) - [std::io::IsTerminal](https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html) - Stable since Rust 1.70.0 and the recommended replacement per the `atty` maintainer. - [is-terminal](https://crates.io/crates/is-terminal) - Standalone crate supporting Rust older than 1.70.0 ├ Announcement: https://github.com/softprops/atty/issues/57 ├ Solution: No safe upgrade is available! ├ atty v0.2.14 └── clap v3.2.22 └── cbindgen v0.24.3 └── xtask v0.0.0 error[unsound]: Potential unaligned read ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:29:1 │ 29 │ atty 0.2.14 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected │ ├ ID: RUSTSEC-2021-0145 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0145 ├ On windows, `atty` dereferences a potentially unaligned pointer. In practice however, the pointer won't be unaligned unless a custom global allocator is used. In particular, the `System` allocator on windows uses `HeapAlloc`, which guarantees a large enough alignment. # atty is Unmaintained A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable. Last release of `atty` was almost 3 years ago. ## Possible Alternative(s) The below list has not been vetted in any way and may or may not contain alternatives; - [std::io::IsTerminal](https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html) - Stable since Rust 1.70.0 - [is-terminal](https://crates.io/crates/is-terminal) - Standalone crate supporting Rust older than 1.70.0 ├ Announcement: https://github.com/softprops/atty/issues/50 ├ Solution: No safe upgrade is available! ├ atty v0.2.14 └── clap v3.2.22 └── cbindgen v0.24.3 └── xtask v0.0.0 error[vulnerability]: Degradation of service in h2 servers with CONTINUATION Flood ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1 │ 151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected │ ├ ID: RUSTSEC-2024-0332 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0332 ├ An attacker can send a flood of CONTINUATION frames, causing `h2` to process them indefinitely. This results in an increase in CPU usage. Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency. More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/. Patches available for 0.4.x and 0.3.x versions. ├ Solution: Upgrade to ^0.3.26 OR >=0.4.4 (try `cargo update -p h2`) ├ h2 v0.3.15 ├── hyper v0.14.23 │ ├── hyper-rustls v0.23.2 │ │ └── reqwest v0.11.13 │ │ ├── downloader v0.0.0 │ │ ├── octocrab v0.19.0 │ │ │ └── downloader v0.0.0 (*) │ │ └── (build) test_util v0.0.0 │ │ ├── (dev) voicevox_core v0.0.0 │ │ │ ├── voicevox_core_c_api v0.0.0 │ │ │ ├── voicevox_core_java_api v0.0.0 │ │ │ └── voicevox_core_python_api v0.0.0 │ │ └── (dev) voicevox_core_c_api v0.0.0 (*) │ └── reqwest v0.11.13 (*) └── reqwest v0.11.13 (*) error[vulnerability]: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS) ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1 │ 151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected │ ├ ID: RUSTSEC-2024-0003 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0003 ├ An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the generation of reset frames on the victim endpoint. By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion, resulting in Out Of Memory (OOM) and high CPU usage. This fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of internal error resets emitted by default before the connection is closed. ├ Solution: Upgrade to ^0.3.24 OR >=0.4.2 (try `cargo update -p h2`) ├ h2 v0.3.15 ├── hyper v0.14.23 │ ├── hyper-rustls v0.23.2 │ │ └── reqwest v0.11.13 │ │ ├── downloader v0.0.0 │ │ ├── octocrab v0.19.0 │ │ │ └── downloader v0.0.0 (*) │ │ └── (build) test_util v0.0.0 │ │ ├── (dev) voicevox_core v0.0.0 │ │ │ ├── voicevox_core_c_api v0.0.0 │ │ │ ├── voicevox_core_java_api v0.0.0 │ │ │ └── voicevox_core_python_api v0.0.0 │ │ └── (dev) voicevox_core_c_api v0.0.0 (*) │ └── reqwest v0.11.13 (*) └── reqwest v0.11.13 (*) error[vulnerability]: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS) ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1 │ 151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected │ ├ ID: RUSTSEC-2023-0034 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0034 ├ If an attacker is able to flood the network with pairs of `HEADERS`/`RST_STREAM` frames, such that the `h2` application is not able to accept them faster than the bytes are received, the pending accept queue can grow in memory usage. Being able to do this consistently can result in excessive memory use, and eventually trigger Out Of Memory. This flaw is corrected in [hyperium/h2#668](https://github.com/hyperium/h2/pull/668), which restricts remote reset stream count by default. ├ Announcement: https://github.com/hyperium/hyper/issues/2877 ├ Solution: Upgrade to >=0.3.17 (try `cargo update -p h2`) ├ h2 v0.3.15 ├── hyper v0.14.23 │ ├── hyper-rustls v0.23.2 │ │ └── reqwest v0.11.13 │ │ ├── downloader v0.0.0 │ │ ├── octocrab v0.19.0 │ │ │ └── downloader v0.0.0 (*) │ │ └── (build) test_util v0.0.0 │ │ ├── (dev) voicevox_core v0.0.0 │ │ │ ├── voicevox_core_c_api v0.0.0 │ │ │ ├── voicevox_core_java_api v0.0.0 │ │ │ └── voicevox_core_python_api v0.0.0 │ │ └── (dev) voicevox_core_c_api v0.0.0 (*) │ └── reqwest v0.11.13 (*) └── reqwest v0.11.13 (*) error[unmaintained]: proc-macro-error is unmaintained ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:273:1 │ 273 │ proc-macro-error 1.0.4 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected │ ├ ID: RUSTSEC-2024-0370 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0370 ├ proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email. proc-macro-error also depends on `syn 1.x`, which may be bringing duplicate dependencies into dependant build trees. ## Possible Alternative(s) - [manyhow](https://crates.io/crates/manyhow) - [proc-macro-error2](https://crates.io/crates/proc-macro-error2) - [proc-macro2-diagnostics](https://github.com/SergioBenitez/proc-macro2-diagnostics) ├ Announcement: https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20 ├ Solution: No safe upgrade is available! ├ proc-macro-error v1.0.4 └── duplicate v1.0.0 ├── voicevox_core v0.0.0 │ ├── voicevox_core_c_api v0.0.0 │ ├── voicevox_core_java_api v0.0.0 │ └── voicevox_core_python_api v0.0.0 ├── voicevox_core_c_api v0.0.0 (*) └── voicevox_core_java_api v0.0.0 (*) error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:309:1 │ 309 │ rustls 0.20.6 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected │ ├ ID: RUSTSEC-2024-0336 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336 ├ If a `close_notify` alert is received during a handshake, `complete_io` does not terminate. Callers which do not call `complete_io` are not affected. `rustls-tokio` and `rustls-ffi` do not call `complete_io` and are not affected. `rustls::Stream` and `rustls::StreamOwned` types use `complete_io` and are affected. ├ Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj ├ Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`) ├ rustls v0.20.6 ├── hyper-rustls v0.23.2 │ └── reqwest v0.11.13 │ ├── downloader v0.0.0 │ ├── octocrab v0.19.0 │ │ └── downloader v0.0.0 (*) │ └── (build) test_util v0.0.0 │ ├── (dev) voicevox_core v0.0.0 │ │ ├── voicevox_core_c_api v0.0.0 │ │ ├── voicevox_core_java_api v0.0.0 │ │ └── voicevox_core_python_api v0.0.0 │ └── (dev) voicevox_core_c_api v0.0.0 (*) ├── reqwest v0.11.13 (*) └── tokio-rustls v0.23.4 ├── hyper-rustls v0.23.2 (*) └── reqwest v0.11.13 (*) error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:310:1 │ 310 │ rustls 0.21.7 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected │ ├ ID: RUSTSEC-2024-0336 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336 ├ If a `close_notify` alert is received during a handshake, `complete_io` does not terminate. Callers which do not call `complete_io` are not affected. `rustls-tokio` and `rustls-ffi` do not call `complete_io` and are not affected. `rustls::Stream` and `rustls::StreamOwned` types use `complete_io` and are affected. ├ Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj ├ Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`) ├ rustls v0.21.7 └── ureq v2.8.0 └── (build) voicevox-ort-sys v2.0.0-rc.4 └── voicevox-ort v2.0.0-rc.4 ├── (build) test_util v0.0.0 │ ├── (dev) voicevox_core v0.0.0 │ │ ├── voicevox_core_c_api v0.0.0 │ │ ├── voicevox_core_java_api v0.0.0 │ │ └── voicevox_core_python_api v0.0.0 │ └── (dev) voicevox_core_c_api v0.0.0 (*) ├── voicevox_core v0.0.0 (*) └── (dev) voicevox_core_c_api v0.0.0 (*) error[vulnerability]: Multiple issues involving quote API ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:336:1 │ 336 │ shlex 1.1.0 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected │ ├ ID: RUSTSEC-2024-0006 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0006 ├ ## Issue 1: Failure to quote characters Affected versions of this crate allowed the bytes `{` and `\xa0` to appear unquoted and unescaped in command arguments. If the output of `quote` or `join` is passed to a shell, then what should be a single command argument could be interpreted as multiple arguments. This does not *directly* allow arbitrary command execution (you can't inject a command substitution or similar). But depending on the command you're running, being able to inject multiple arguments where only one is expected could lead to undesired consequences, potentially including arbitrary command execution. The flaw was corrected in version 1.2.1 by escaping additional characters. Updating to 1.3.0 is recommended, but 1.2.1 offers a more minimal fix if desired. Workaround: Check for the bytes `{` and `\xa0` in `quote`/`join` input or output. (Note: `{` is problematic because it is used for glob expansion. `\xa0` is problematic because it's treated as a word separator in [specific environments][solved-xa0].) ## Issue 2: Dangerous API w.r.t. nul bytes Version 1.3.0 deprecates the `quote` and `join` APIs in favor of `try_quote` and `try_join`, which behave the same except that they have `Result` return type, returning `Err` if the input contains nul bytes. Strings containing nul bytes generally cannot be used in Unix command arguments or environment variables, and most shells cannot handle nul bytes even internally. If you try to pass one anyway, then the results might be security-sensitive in uncommon scenarios. [More details here.][nul-bytes] Due to the low severity, the behavior of the original `quote` and `join` APIs has not changed; they continue to allow nuls. Workaround: Manually check for nul bytes in `quote`/`join` input or output. ## Issue 3: Lack of documentation for interactive shell risks The `quote` family of functions does not and cannot escape control characters. With non-interactive shells this is perfectly safe, as control characters have no special effect. But if you writing directly to the standard input of an interactive shell (or through a pty), then control characters [can cause misbehavior including arbitrary command injection.][control-characters] This is essentially unfixable, and has not been patched. But as of version 1.3.0, documentation has been added. Future versions of `shlex` may add API variants that avoid the issue at the cost of reduced portability. [solved-xa0]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#solved-xa0 [nul-bytes]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#nul-bytes [control-characters]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#control-characters-interactive-contexts-only ├ Announcement: https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27 ├ Solution: Upgrade to >=1.3.0 (try `cargo update -p shlex`) ├ shlex v1.1.0 ├── bindgen v0.62.0 │ └── (build) open_jtalk-sys v0.16.111 │ └── open_jtalk v0.1.25 │ └── voicevox_core v0.0.0 │ ├── voicevox_core_c_api v0.0.0 │ ├── voicevox_core_java_api v0.0.0 │ └── voicevox_core_python_api v0.0.0 └── bindgen v0.69.4 └── (build) test_util v0.0.0 ├── (dev) voicevox_core v0.0.0 (*) └── (dev) voicevox_core_c_api v0.0.0 (*) error[vulnerability]: webpki: CPU denial of service in certificate path building ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:425:1 │ 425 │ webpki 0.22.0 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected │ ├ ID: RUSTSEC-2023-0052 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052 ├ When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building. Both TLS clients and TLS servers that accept client certificate are affected. This was previously reported inadvisories FAILED: 10 errors, 1 warnings, 0 notes