Security vulnerability with `time: v0.1.43`

hyperledger-archives / ursa

Hyperledger Ursa (a shared cryptographic library) has moved to end-of-life status, with the components of Ursa still in use moved to their relevant Hyperledger projects (AnonCreds, Indy, Aries and Iroha).

https://wiki.hyperledger.org/display/ursa

Apache License 2.0

321 stars 142 forks source link

Security vulnerability with `time: v0.1.43` #196

Closed appetrosyan closed 2 years ago

appetrosyan commented 2 years ago

Hi, we're using ursa in hyperledger iroha, When we ran cargo audit We found

Crate:         time
Version:       0.1.43
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.43

And cargo tree showed time as a direct dependency of ursa.

hartm commented 2 years ago

I think time is only used for performance benchmarking, so this shouldn't be a security vulnerability for Ursa. But it definitely should be updated, so thanks for pointing this out!