michaelsproul
commented
3 years ago +1, this is affecting a lot of downstream Rust crypto deps including libp2p
(PS: @t-nelson I think you mean v0.3.5 rather than v0.5.3)
Closed t-nelson closed 2 years ago
michaelsproul
commented
3 years ago +1, this is affecting a lot of downstream Rust crypto deps including libp2p
(PS: @t-nelson I think you mean v0.3.5 rather than v0.5.3)
nothingismagick
commented
3 years ago In the cargo.toml file of latest commit: https://github.com/paritytech/libsecp256k1/blob/12e3829d6cd2d6459c2c920d7cf222f3a930b955/Cargo.toml#L5
mbrubeck
commented
3 years ago A patched version generic-array 0.12.4 is now available, so any downstream projects affected by this can now fix it just by running:
cargo update -p generic-array:0.12.3
thibault-martinez
commented
3 years ago Any plans to release a version to patch this vulnerability ?
mbrubeck
commented
3 years ago No changes to this project are needed since generic-array 0.12.4 was released. New downstream projects will use the latest compatible version by default, which includes the fix. Existing Cargo.lock files can be updated with cargo update.
The most recent Cargo release (v0.3.5) is vulnerable to https://rustsec.org/advisories/RUSTSEC-2020-0146
All of the affected dependencies are up to date in master. I'd PR a backport but there doesn't seem to be a release branch or consistent tagging :shrug:
A new release v0.3.x release with dependencies patched would be great. Thanks!