search

filecoin-project / builtin-actors

The Filecoin built-in actors
Other
81 stars 76 forks source link

Cargo audit `chrono` #182

Closed rllola closed 2 years ago

rllola commented 2 years ago

When I am running cargo audit I see a vulnerability on chrono but no potential upgrade.

Crate:         chrono
Version:       0.4.19
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
Dependency tree: 
chrono 0.4.19
└── fvm_shared 0.3.1
    ├── fvm_sdk 0.3.0
    │   └── fil_actors_runtime 8.0.0-alpha.1
    │       ├── fil_actor_paych 8.0.0-alpha.1
    │       │   ├── filecoin-signer 0.10.1
    │       │   │   ├── hfuzz-signer 0.0.0
    │       │   │   ├── filecoin-signer-wasm 0.1.0
    │       │   │   └── filecoin-signer-ffi 0.1.0
    │       │   └── extras 0.1.0
    │       │       └── filecoin-signer 0.10.1
    │       ├── fil_actor_multisig 8.0.0-alpha.1
    │       │   ├── filecoin-signer 0.10.1
    │       │   └── extras 0.1.0
    │       ├── fil_actor_init 8.0.0-alpha.1
    │       │   ├── filecoin-signer 0.10.1
    │       │   └── extras 0.1.0
    │       └── fil_actor_cron 8.0.0-alpha.1
    │           └── extras 0.1.0
    ├── fvm_ipld_hamt 0.3.0
    │   ├── fil_actors_runtime 8.0.0-alpha.1
    │   ├── fil_actor_multisig 8.0.0-alpha.1
    │   └── fil_actor_init 8.0.0-alpha.1
    ├── fvm_ipld_amt 0.3.0
    │   └── fil_actors_runtime 8.0.0-alpha.1
    ├── filecoin-signer 0.10.1
    ├── fil_actors_runtime 8.0.0-alpha.1
    ├── fil_actor_paych 8.0.0-alpha.1
    ├── fil_actor_multisig 8.0.0-alpha.1
    ├── fil_actor_init 8.0.0-alpha.1
    ├── fil_actor_cron 8.0.0-alpha.1
    └── extras 0.1.0

The repo is active but they didn't do any new release in 2 years.

dignifiedquire commented 2 years ago

already removed in https://github.com/filecoin-project/ref-fvm/pull/433