Migrate `webpki` dependency to `rustls-webpki` to mitigate RUSTSEC-2023-0052

fussybeaver / bollard

Docker daemon API in Rust

Apache License 2.0

863 stars 131 forks source link

Migrate `webpki` dependency to `rustls-webpki` to mitigate RUSTSEC-2023-0052 #327

Closed fuchsnj closed 1 year ago

fuchsnj commented 1 year ago

There is a security advisory for a CPU denial of service in the webpki crate, which is a dependency of bollard. The webpki crate appears to be unmaintained. The latest version of rustls-webpki contains a fix for this.

Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052.html

fussybeaver commented 1 year ago

Thanks for the PR #328 let's close this

dmartin commented 1 year ago

Would it be possible to do a patch release that includes this fix? We can use a git commit in Cargo.toml for now to avoid the security advisory warning, but that feels a little clunky.

fussybeaver commented 1 year ago

Yes, I can try to schedule a patch release in a couple of weeks when I'm back and have some time.

dmartin commented 1 year ago

Much appreciated, and thank you for all of your hard work on this library!