This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate actix-connect

Dependencies

(17 total, 12 outdated, 5 possibly insecure)

CrateRequiredLatestStatus
 actix-codec ⚠️^0.1.20.5.2out of date
 actix-rt^0.2.52.10.0out of date
 actix-service^0.4.02.0.2out of date
 actix-utils^0.4.03.0.1out of date
 derive_more^0.151.0.0out of date
 either^1.5.21.13.0up to date
 futures^0.1.250.3.31out of date
 http ⚠️^0.1.171.1.0out of date
 log^0.40.4.22up to date
 openssl ⚠️^0.100.10.68maybe insecure
 rustls ⚠️^0.15.20.23.16out of date
 tokio-current-thread^0.1.50.1.7up to date
 tokio-openssl^0.30.6.5out of date
 tokio-rustls^0.9.10.26.0out of date
 tokio-tcp^0.1.30.1.4up to date
 trust-dns-resolver^0.11.00.23.2out of date
 webpki ⚠️^0.190.22.4out of date

Dev dependencies

(3 total, 2 outdated)

CrateRequiredLatestStatus
 actix-server-config^0.1.00.2.0out of date
 actix-test-server^0.2.20.2.2up to date
 bytes^0.41.8.0out of date

Security Vulnerabilities

http: Integer Overflow in HeaderMap::reserve() can cause Denial of Service

RUSTSEC-2019-0033

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate.

http: HeaderMap::Drain API is unsound

RUSTSEC-2019-0034

actix-codec: Use-after-free in Framed due to lack of pinning

RUSTSEC-2020-0049

Affected versions of this crate did not require the buffer wrapped in Framed to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free.

The flaw was corrected by making the affected functions accept Pin<&mut Self> instead of &mut self.

webpki: webpki: CPU denial of service in certificate path building

RUSTSEC-2023-0052

When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

This was previously reported in https://github.com/briansmith/webpki/issues/69 and re-reported recently by Luke Malinowski.

webpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes.

rustls: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

RUSTSEC-2024-0336

If a close_notify alert is received during a handshake, complete_io does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io and are not affected.

rustls::Stream and rustls::StreamOwned types use complete_io and are affected.

openssl: `MemBio::get_buf` has undefined behavior with empty buffers

RUSTSEC-2024-0357

Previously, MemBio::get_buf called slice::from_raw_parts with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.