robjtede
commented
2 years ago Just to check, you folks need it backporting to v3 or no?
Open ncloudioj opened 2 years ago
robjtede
commented
2 years ago Just to check, you folks need it backporting to v3 or no?
ncloudioj
commented
2 years ago Hi @robjtede, thanks for reaching out!
Just to check, you folks need it backporting to v3 or no?
We use actix-web v4 for this project. However, we do use v3 for another project.
@pjenvey @jrconlin Are we planning on upgrading actix-web for Contile at some point?
jrconlin
commented
2 years ago We use actix for a number of projects, including syncstorage, autopush, channelserver and contile. All are planned to move to Actix 4 (once Actix 4 stable is released), and all have likewise included the ignore. It really depends on how critical a vulnerability this fix is and how soon Actix 4 will reach stable.
Of course, even after Actix4 is released, there will have to be some time to update each of these packages, which means that they may be similarly vulnerable, so again, it depends on how critical this fix is to the Actix framework.
robjtede
commented
2 years ago I think the near-term timeline on v4 stable is favorable towards this issue. In the meantime, the quick fix for silencing the advisory on v3 projects is disabling the feature flag for brotli.
I'm willing to help expedite updating projects to v4 after its release to get brotli support back if you choose to disable it.
robjtede
commented
2 years ago I decided to backport the fix after all. A cargo update will get you actix-http v2.2.2 which switches the brotli backend to brotli.
jrconlin
commented
2 years ago Awesome! Thanks!
This CVE was introduced by actix-web and was temporarily ignored by #287. We should fix it by updating actix-web once it gets fixed there (https://github.com/actix/actix-web/pull/2538).