fix: deps #296
Security advisories found
3 advisory(ies), 4 unmaintained, 1 other
Details
Vulnerabilities
RUSTSEC-2022-0093
Double Public Key Signing Function Oracle Attack on
ed25519-dalek
Details | |
---|---|
Package | ed25519-dalek |
Version | 1.0.1 |
URL | https://github.com/MystenLabs/ed25519-unsafe-libs |
Date | 2022-06-11 |
Patched versions | >=2 |
Versions of ed25519-dalek
prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair
, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.
Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S
part of the signature,
but not in the R
value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R
and only differ on the S
part.
Unfortunately, when this happens, one can easily extract the private key.
Revised public APIs in v2.0 of ed25519-dalek
do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.
RUSTSEC-2022-0083
evm incorrect state transition
Details | |
---|---|
Package | evm |
Version | 0.35.0 |
URL | rust-ethereum/evm#133 |
Date | 2022-10-25 |
Patched versions | >=0.36.0 |
SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine.
A custom stateful precompile can use the is_static
parameter to determine if
the call is executed in a static context (via STATICCALL
), and thus decide
if stateful operations should be done.
Prior to version 0.36.0, the passed is_static
parameter was incorrect -- it
was only set to true
if the call came from a direct STATICCALL
opcode.
However, once a static call context is entered, it should stay static. The issue
only impacts custom precompiles that actually uses is_static
.
For those affected, the issue can lead to possible incorrect state transitions.
RUSTSEC-2022-0090
libsqlite3-sys
via C SQLite CVE-2022-35737
Details | |
---|---|
Package | libsqlite3-sys |
Version | 0.9.4 |
URL | https://nvd.nist.gov/vuln/detail/CVE-2022-35737 |
Date | 2022-08-03 |
Patched versions | >=0.25.1 |
It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf
function.
As libsqlite3-sys
bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys
was updated to bundle the patched version of SQLite here.
Warnings
RUSTSEC-2021-0139
ansi_term is Unmaintained
Details | |
---|---|
Status | unmaintained |
Package | ansi_term |
Version | 0.11.0 |
URL | ogham/rust-ansi-term#72 |
Date | 2021-08-18 |
The maintainer has advised that this crate is deprecated and will not receive any maintenance.
The crate does not seem to have much dependencies and may or may not be ok to use as-is.
Last release seems to have been three years ago.
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
Dependency Specific Migration(s)
RUSTSEC-2021-0139
ansi_term is Unmaintained
Details | |
---|---|
Status | unmaintained |
Package | ansi_term |
Version | 0.12.1 |
URL | ogham/rust-ansi-term#72 |
Date | 2021-08-18 |
The maintainer has advised that this crate is deprecated and will not receive any maintenance.
The crate does not seem to have much dependencies and may or may not be ok to use as-is.
Last release seems to have been three years ago.
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
Dependency Specific Migration(s)
RUSTSEC-2020-0095
difference is unmaintained
Details | |
---|---|
Status | unmaintained |
Package | difference |
Version | 2.0.0 |
URL | johannhof/difference.rs#45 |
Date | 2020-12-20 |
The author of the difference
crate is unresponsive.
Maintained alternatives:
RUSTSEC-2021-0141
dotenv is Unmaintained
Details | |
---|---|
Status | unmaintained |
Package | dotenv |
Version | 0.15.0 |
URL | dotenv-rs/dotenv#74 |
Date | 2021-12-24 |
dotenv by description is meant to be used in development or testing only.
Using this in production may or may not be advisable.
Alternatives
The below may or may not be feasible alternative(s):