Open mnhauke opened 1 day ago
Such things is one of the reasons (or maybe a primary reason) why I rewritten it using modern dependencies.
It is impractical to close all those things - maybe porting the features to 4.0.0 branch would be simpler.
I hope that most of the things should not be (easily) reachable from Websocat. For example:
Lenient
hyper
header parsing ofContent-Length
could allow request smuggling
Websockets do not use Content-Length
field.
Integer overflow in
hyper
's parsing of theTransfer-Encoding
header leads to data loss
WebSockets do not use Transfer-Encoding
.
Potential segfault in the time crate
As far as I remember, it's about environment variables and setting timezone or something like that. Obviously Websocat does not use set_env
.
In general RUSTSEC
s rarely directly translate to exploitable vulnerabilities.
The most important security-related dependency - OpenSSL - should be up to date even with v1 branch.
Maybe try to package v4.0.0-alpha1
instead?
The only cargo audit
warning there is that "instant
is unmaintained" (RUSTSEC-2024-0384) (coming from a transitive dependency).
Note that a lot of Websocat1 features are missing at the moment (porting is tracked at #276). If Websocat is unpackaged at the moment it may be less of a problem, but automatic update from v1.13
to 4.0.0-alpha1
may be not a good idea.
The current version v1.14.0 fails that check
Is it the first time OpenSUSE packages Websocat (i.e. v1.14.0 is a starting version) or it is an update?
v1.14.0 is not significantly different from v1.13.0
, v1.12.0
and so in this regard - master
branch stuck with legacy deps for a long time.
Maybe cargo audit
requirement is a new one?
The only correctness change of v1.14
compared to v1.13
is prioritisation of pong replies over normal traffic. The rest are somewhat minor features, so sticking with 1.13 for some time should not be a large problem.
Hello, I am one of the [openSUSE websocat package]() maintainers.
The package build routines nowadays include a check via cargo audit to only allow updates without security vulnerabilities. The current version v1.14.0 fails that check because of the following discovered vulnerabilities: