538 │ webpki 0.21.4 registry+https://github.com/rust-lang/crates.io-index
│ ------------------------------------------------------------------- security vulnerability detected
│
= ID: RUSTSEC-2023-0052
= Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052
= When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
This was previously reported in
<https://github.com/briansmith/webpki/issues/69> and re-reported recently
by Luke Malinowski.
`rustls-webpki` is a fork of this crate which contains a fix for this issue
and is actively maintained.
= Solution: No safe upgrade is available!
= webpki v0.21.4
├── hyper-rustls v0.22.1
│ └── eventsource-client v0.11.0
│ └── launchdarkly-server-sdk v1.1.3
This relates to https://github.com/launchdarkly/rust-eventsource-client/issues/55 the issue is transitive and goes like:
the problematic package is
webpki@0.21.4
the tree goes as:The whole log from
cargo deny check advisories