Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump openssl from 0.10.66 to 0.10.68 #172

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Bump openssl from 0.10.66 to 0.10.68

01fb3c5
Select commit
Loading
Failed to load commit list.
Sign in for the full log view
Open

Bump openssl from 0.10.66 to 0.10.68 #172

Bump openssl from 0.10.66 to 0.10.68
01fb3c5
Select commit
Loading
Failed to load commit list.
GitHub Actions / Security audit failed Oct 17, 2024 in 0s

Security advisories found

1 advisories, 1 unmaintained, 6 other

Details

Vulnerabilities

RUSTSEC-2024-0019

Tokens for named pipes may be delivered after deregistration

Details
Package mio
Version 0.8.8
URL GHSA-r8w9-5wcg-vfj7
Date 2024-03-04
Patched versions >=0.8.11
Unaffected versions <0.7.2

Impact

When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free.

For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio.

The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected.

Affected versions

This vulnerability has been fixed in mio v0.8.11.

All versions of mio between v0.7.2 and v0.8.10 are vulnerable.

Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.

Workarounds

Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.

Technical details

When an IO resource registered with mio has a readiness event, mio delivers that readiness event to the user using a user-specified token. Mio guarantees that when an IO resource is deregistered, then it will never return the token for that IO resource again. However, for named pipes on windows, mio may sometimes deliver the token for a named pipe even though the named pipe has been previously deregistered.

This vulnerability was originally reported in the Tokio issue tracker: tokio-rs/tokio#6369
This vulnerability was fixed in: tokio-rs/mio#1760

Thank you to @rofoun and @radekvit for discovering and reporting this issue.

Warnings

RUSTSEC-2024-0320

yaml-rust is unmaintained.

Details
Status unmaintained
Package yaml-rust
Version 0.4.5
URL rustsec/advisory-db#1921
Date 2024-03-20

The maintainer seems unreachable.

Many issues and pull requests have been submitted over the years
without any response.

Alternatives

Consider switching to the actively maintained yaml-rust2 fork of the original project:

Crate futures-util is yanked

No extra details provided.

Crate hermit-abi is yanked

No extra details provided.

Crate pest is yanked

No extra details provided.

Crate pest_derive is yanked

No extra details provided.

Crate pest_generator is yanked

No extra details provided.

Crate pest_meta is yanked

No extra details provided.

View more details on GitHub Actions