search

launchdarkly / rust-eventsource-client

Server-sent events (SSE) client implementation for Rust
https://docs.rs/eventsource-client/latest/eventsource_client/
Other
69 stars 21 forks source link

dependency tree is vulnarable to RUSTSEC-2023-0052 #55

Closed sassman closed 10 months ago

sassman commented 1 year ago

the problematic package is webpki@0.21.4 the tree goes as:

    = webpki v0.21.4
      ├── hyper-rustls v0.22.1
      │   └── eventsource-client v0.11.0
      │       └── launchdarkly-server-sdk v1.1.3

The whole log from cargo deny check advisories

538 │ webpki 0.21.4 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2023-0052
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052
    = When this crate is given a pathological certificate chain to validate, it will
      spend CPU time exponential with the number of candidate certificates at each
      step of path building.

      Both TLS clients and TLS servers that accept client certificate are affected.

      This was previously reported in
      <https://github.com/briansmith/webpki/issues/69> and re-reported recently
      by Luke Malinowski.

      `rustls-webpki` is a fork of this crate which contains a fix for this issue
      and is actively maintained.
    = Solution: No safe upgrade is available!
    = webpki v0.21.4
      ├── hyper-rustls v0.22.1
      │   └── eventsource-client v0.11.0
      │       └── launchdarkly-server-sdk v1.1.3
cwaldren-ld commented 1 year ago

Hi @sassman , thanks for reporting this. We'll consider switching over to the maintained rustls-webpki fork.

Filed internally as 214672.

sassman commented 1 year ago

Hi @cwaldren-ld, thanks for your swift response, do you have any timeline on having a patch ready?

louis-launchdarkly commented 1 year ago

Hello @sassman, sorry for the slightly delayed response. After discussing with the Rust engineers on the team, the current plan is to fix this all together when https://github.com/hyperium/hyper releases their 1.0 crate (They had the rc4 release a couple of months ago), as there are a lot of breaking changes and will require the Rust SDK also take a major version bump.

butlerx commented 10 months ago

since hyper v1 is releasing today is there a timeline for the patch ?

keelerm84 commented 10 months ago

Well funnily enough, I decided the other day to not wait for that release, and just got our changes released now. 🤦🏼

Anyway, 0.12.0 is out with updated dependencies but still pre v1-hyper.