Closed kimono-koans closed 1 year ago
Can the maintainer please advise on this PR? Pleased to reformulate. Thank you!
@kimono-koans I've had contact with the author 2+ years ago. AFAIK they are not active anymore in the rust community and/or not using this crate anymore. So all effort that happened recently is purely for the sake of other people like us.
Regarding the CVE: My personal stance, and experience from my software using chrono and time since some years, is that we're exaggerating the actual impact of a possible segfault due to concurrent environment modifications by a lot.
Apologies for the silence. Taking a look at it now.
Thanks for the PR, merged!
I have unfortunately been away from this project and a few others for a while :/
In the future, if you need to get in touch with me, don't hesitate to ping me on Matrix, @yoric:matrix.org .
@Yoric do you have an ETA for when we can get a 0.2.1 release with this fix in it? In addition to the CVE, it also fixes some compatibility issues with embedded Rust as time-rs doesn't have proper support for all targets.
This change should permit
cargo audit
to no longer flagtimer.rs
for CVE-2020-26235.This is required to fix: https://github.com/kimono-koans/httm/issues/54