This project contains known security vulnerabilities. Find detailed information at the bottom.
activitypub_federation(36 total, 10 outdated, 1 insecure, 2 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| activitystreams-kinds | ^0.3.0 | 0.3.0 | up to date |
| actix-web | ^4.8.0 | 4.12.1 | up to date |
| async-trait | ^0.1.81 | 0.1.89 | up to date |
| axum | ^0.6.20 | 0.8.7 | out of date |
| base64 | ^0.22.1 | 0.22.1 | up to date |
| bytes | ^1.6.1 | 1.11.0 | up to date |
| chrono | ^0.4.38 | 0.4.42 | up to date |
| derive_builder | ^0.20.0 | 0.20.2 | up to date |
| diesel ⚠️ | ^2.2.1 | 2.3.4 | maybe insecure |
| dyn-clone | ^1.0.17 | 1.0.20 | up to date |
| enum_delegate | ^0.2.0 | 0.2.0 | up to date |
| futures | ^0.3.30 | 0.3.31 | up to date |
| futures-core | ^0.3.30 | 0.3.31 | up to date |
| http | ^0.2.12 | 1.4.0 | out of date |
| http-body-util | ^0.1.2 | 0.1.3 | up to date |
| http-signature-normalization | ^0.7.0 | 0.7.0 | up to date |
| http-signature-normalization-reqwest | ^0.10.0 | 0.13.0 | out of date |
| httpdate | ^1.0.3 | 1.0.3 | up to date |
| hyper ⚠️ | ^0.14 | 1.8.1 | out of date |
| itertools | ^0.13.0 | 0.14.0 | out of date |
| moka | ^0.12.8 | 0.12.11 | up to date |
| once_cell | ^1.19.0 | 1.21.3 | up to date |
| pin-project-lite | ^0.2.14 | 0.2.16 | up to date |
| rand | ^0.8.5 | 0.9.2 | out of date |
| regex | ^1.10.5 | 1.12.2 | up to date |
| reqwest | ^0.11.27 | 0.12.24 | out of date |
| reqwest-middleware | ^0.2.5 | 0.4.2 | out of date |
| rsa ⚠️ | ^0.9.6 | 0.9.9 | insecure |
| serde | ^1.0.204 | 1.0.228 | up to date |
| serde_json | ^1.0.120 | 1.0.145 | up to date |
| sha2 | ^0.10.8 | 0.10.9 | up to date |
| thiserror | ^1.0.62 | 2.0.17 | out of date |
| tokio | ^1.38.0 | 1.48.0 | up to date |
| tower | ^0.4.13 | 0.5.2 | out of date |
| tracing | ^0.1.40 | 0.1.43 | up to date |
| url | ^2.5.2 | 2.5.7 | up to date |
(6 total, 3 outdated)
| Crate | Required | Latest | Status |
|---|---|---|---|
| anyhow | ^1.0.86 | 1.0.100 | up to date |
| axum | ^0.6.20 | 0.8.7 | out of date |
| axum-macros | ^0.3.8 | 0.5.0 | out of date |
| env_logger | ^0.11.3 | 0.11.8 | up to date |
| tokio | ^1.38.0 | 1.48.0 | up to date |
| tower-http | ^0.5.2 | 0.6.7 | out of date |
hyper: Lenient `hyper` header parsing of `Content-Length` could allow request smugglinghyper's HTTP header parser accepted, according to RFC 7230, illegal contents inside Content-Length headers.
Due to this, upstream HTTP proxies that ignore the header may still forward them along if it chooses to ignore the error.
To be vulnerable, hyper must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents
but still forwards it. Due to all the factors that must line up, an attack exploiting this vulnerability is unlikely.
hyper: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data lossWhen decoding chunk sizes that are too large, hyper's code would encounter an integer overflow. Depending on the situation,
this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.
To be vulnerable, you must be using hyper for any HTTP/1 purpose, including as a client or server, and consumers must send
requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible,
any upstream proxies must accept a chunk size greater than 64 bits.
rsa: Marvin Attack: potential key recovery through timing sidechannelsDue to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
diesel: Binary Protocol Misinterpretation caused by Truncating or Overflowing CastsThe following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:
SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.) Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow, causing the server to interpret the rest of the string as binary protocol commands or other data.
It appears Diesel does perform truncating casts in a way that could be problematic, for example: https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36
This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 2.2.2 are affected.
The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes fixes for the problem.
As always, you should make sure your application is validating untrustworthy user input. Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB. Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.
For web application backends, consider adding some middleware that limits the size of request bodies by default.
Diesel now uses #[deny] directives for the following Clippy lints:
to prevent casts that will lead to precision loss or other trunctations. Additionally we performed an audit of the relevant code.
A fix is included in the 2.2.3 release.