search

sfackler / rust-native-tls

Apache License 2.0
480 stars 202 forks source link

`openssl` `X509VerifyParamRef::set_host` buffer over-read #270

Closed chainyo closed 1 year ago

chainyo commented 1 year ago

This PR aims to upgrade the openssl and openssl-sys dependencies to avoid a discovered vulnerability.

Here is the cargo audit output I get on openssl v0.10.54.

Crate:     openssl
Version:   0.10.54
Title:     `openssl` `X509VerifyParamRef::set_host` buffer over-read
Date:      2023-06-20
ID:        RUSTSEC-2023-0044
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0044
Solution:  Upgrade to >=0.10.55
Dependency tree:
openssl 0.10.54
└── native-tls 0.2.11
    ├── tokio-native-tls 0.3.1
    │   ├── reqwest 0.11.18
    │   └── hyper-tls 0.5.0
    │       └── reqwest 0.11.18
    ├── reqwest 0.11.18
    └── hyper-tls 0.5.0

error: 1 vulnerability found!
sfackler commented 1 year ago

cargo update

chainyo commented 1 year ago

cargo update

Yes, thanks for pointing out this command, obviously I did that for my project.

Is there any reason to keep old patch versions for crates in Rust projects?

sfackler commented 1 year ago

It avoids a ton of completely pointless churn.