Closed Dmitry-Borodin closed 5 months ago
Those were vulnarable due to cargo-deny check
Not to update rustls to the version not affected by cargo-deny rules, I had to update subxt to 0.32.1 from 0.27
And a lot of sub-dependencies using rustls. It made a lot of library versions affected. Would be nice to test this change carefully.
rror[vulnerability]: Degradation of service in h2 servers with CONTINUATION Flood ┌─ /github/workspace/rust/Cargo.lock:148:1 │ 148 │ h2 0.3.24 registry+https://github.com/rust-lang/crates.io-index │ --------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2024-0332 = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0332 = An attacker can send a flood of CONTINUATION frames, causing `h2` to process them indefinitely. This results in an increase in CPU usage. Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency. More details at "[https://seanmonstar.com/blog/hyper-http2-continuation-flood/.](https://seanmonstar.com/blog/hyper-http2-continuation-flood/) Patches available for 0.4.x and 0.3.x versions. = Solution: Upgrade to ^0.3.26 OR >=0.4.4 (try `cargo update -p h2`) = h2 v0.3.24 └── hyper v0.14.20 ├── hyper-rustls v0.24.1 │ └── jsonrpsee-http-client v0.16.3 │ └── jsonrpsee v0.16.3 │ └── subxt-codegen v0.27.1 │ └── subxt-macro v0.27.1 │ └── subxt v0.27.1 │ └── (dev) parser v0.1.0 │ ├── (dev) navigator v0.1.0 │ │ └── signer v0.1.0 │ ├── signer v0.1.0 (*) │ └── transaction_parsing v0.1.0 │ ├── navigator v0.1.0 (*) │ ├── qr_reader_phone v0.1.0 │ │ ├── qr_reader_pc v0.2.0 │ │ └── signer v0.1.0 (*) │ ├── signer v0.1.0 (*) │ └── (dev) transaction_signing v0.1.0 │ ├── navigator v0.1.0 (*) │ └── signer v0.1.0 (*) ├── jsonrpsee-core v0.16.3 │ ├── jsonrpsee v0.16.3 (*) │ ├── jsonrpsee-client-transport v0.16.3 │ │ └── jsonrpsee v0.16.3 (*) │ └── jsonrpsee-http-client v0.16.3 (*) └── jsonrpsee-http-client v0.16.3 (*)
error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input ┌─ /github/workspace/rust/Cargo.lock:322:1 │ 322 │ rustls 0.21.6 registry+https://github.com/rust-lang/crates.io-index │ ------------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2024-0336 = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336 = If a `close_notify` alert is received during a handshake, `complete_io` does not terminate. Callers which do not call `complete_io` are not affected. `rustls-tokio` and `rustls-ffi` do not call `complete_io` and are not affected. `rustls::Stream` and `rustls::StreamOwned` types use `complete_io` and are affected. = Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj = Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`) = rustls v0.21.6 ├── hyper-rustls v0.24.1 │ └── jsonrpsee-http-client v0.16.3 │ └── jsonrpsee v0.16.3 │ └── subxt-codegen v0.27.1 │ └── subxt-macro v0.27.1 │ └── subxt v0.27.1 │ └── (dev) parser v0.1.0 │ ├── (dev) navigator v0.1.0 │ │ └── signer v0.1.0 │ ├── signer v0.1.0 (*) │ └── transaction_parsing v0.1.0 │ ├── navigator v0.1.0 (*) │ ├── qr_reader_phone v0.1.0 │ │ ├── qr_reader_pc v0.2.0 │ │ └── signer v0.1.0 (*) │ ├── signer v0.1.0 (*) │ └── (dev) transaction_signing v0.1.0 │ ├── navigator v0.1.0 (*) │ └── signer v0.1.0 (*) └── tokio-rustls v0.24.1 ├── hyper-rustls v0.24.1 (*) ├── jsonrpsee-client-transport v0.16.3 │ └── jsonrpsee v0.16.3 (*) └── jsonrpsee-client-transport v0.20.3 └── jsonrpsee-ws-client v0.20.3 └── jsonrpsee v0.20.3 └── generate_message v0.1.0 └── (build) signer v0.1.0 (*)
Those were vulnarable due to cargo-deny check
Not to update rustls to the version not affected by cargo-deny rules, I had to update subxt to 0.32.1 from 0.27
And a lot of sub-dependencies using rustls. It made a lot of library versions affected. Would be nice to test this change carefully.
Errors fixed: