This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate acorn-lib

Dependencies

(74 total, 13 outdated, 1 insecure, 1 possibly insecure)

CrateRequiredLatestStatus
 acorn-macros^0.1.590.1.59up to date
 aho-corasick^1.1.41.1.4up to date
 ammonia^4.1.24.1.3up to date
 ariadne^0.6.00.6.0up to date
 async-trait^0.1.860.1.89up to date
 axum^0.8.90.8.9up to date
 bat^0.26.00.26.1up to date
 bon^3.8.13.9.3up to date
 chrono ⚠️^0.40.4.45maybe insecure
 color-eyre^0.6.50.6.5up to date
 comfy-table^7.1.47.2.2up to date
 console^0.16.10.16.4up to date
 convert_case^0.11.00.11.0up to date
 data-encoding^2.10.02.11.0up to date
 derive_more^2.1.12.1.1up to date
 directories^6.0.06.0.0up to date
 docx-rs^0.4.170.4.20up to date
 dotenvy^0.15.00.15.7up to date
 duckdb^1.10502.01.10504.0up to date
 eserde^0.10.1.7up to date
 exitcode^1.1.21.1.2up to date
 fancy-regex^0.17.00.18.0out of date
 flate2^1.1.51.1.9up to date
 fluent-uri^0.40.4.1up to date
 futures^0.3.320.3.32up to date
 glob^0.3.10.3.3up to date
 hashbrown^0.17.00.17.1up to date
 human-units^0.5.30.5.4up to date
 indicatif^0.18.20.18.6up to date
 is_executable^1.0.51.0.6up to date
 itertools^0.14.00.15.0out of date
 lazy_static^1.5.01.5.0up to date
 lychee-lib^0.23.00.24.2out of date
 nanoid^0.5.00.5.0up to date
 nucleo-matcher^0.3.10.3.1up to date
 owo-colors^4.3.04.3.0up to date
 percy-dom^0.10.00.10.2up to date
 petgraph^0.8.30.8.3up to date
 polars^0.53.00.54.4out of date
 quick-xml^0.39.10.41.0out of date
 rand^0.80.10.2out of date
 rayon^1.12.01.12.0up to date
 reqwest^0.13.20.13.4up to date
 ring^0.17.140.17.14up to date
 rmcp^1.5.02.2.0out of date
 rsa ⚠️^0.9.100.9.10insecure
 rusqlite^0.39.00.40.1out of date
 rust-embed^8.11.08.12.0up to date
 rust-ini^0.21.30.21.3up to date
 schemars^1.0.41.2.1up to date
 secrecy^0.10.30.10.3up to date
 serde^1.0.2251.0.228up to date
 serde_json^1.0.1491.0.150up to date
 serde_norway^0.9.420.9.42up to date
 serde_repr^0.10.1.20up to date
 serde_trim^1.1.01.1.0up to date
 serde_with^3.15.13.21.0up to date
 shell-words^1.1.01.1.1up to date
 shuck-linter^0.0.410.0.43out of date
 shuck-parser^0.0.410.0.43out of date
 similar^3.1.03.1.1up to date
 sophia^0.9.00.10.0out of date
 strum^0.28.00.28.0up to date
 sysinfo^0.38.20.39.6out of date
 tar^0.4.450.4.46up to date
 tera^1.20.02.0.0out of date
 tokio^1.48.01.52.3up to date
 tower^0.5.30.5.3up to date
 tracing^0.1.400.1.44up to date
 triomphe^0.1.150.1.16up to date
 urlencoding^2.1.32.1.3up to date
 validator^0.20.00.20.0up to date
 which^8.0.08.0.4up to date
 zip^8.5.18.6.0up to date

Dev dependencies

(8 total, 1 outdated)

CrateRequiredLatestStatus
 criterion^0.8.20.8.2up to date
 insta^1.47.21.48.0up to date
 mockall^0.14.00.15.0out of date
 pretty_assertions^1.4.11.4.1up to date
 proptest^1.9.01.11.0up to date
 similar-asserts^2.0.02.0.0up to date
 temp-env^0.3.60.3.6up to date
 zench^0.2.00.2.1up to date

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

rsa: Marvin Attack: potential key recovery through timing sidechannels

RUSTSEC-2023-0071

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.