Affected versions of the OpenSSL crate used structures after they'd been freed.
This project contains known security vulnerabilities. Find detailed information at the bottom.
attohttpc
(17 total, 3 outdated, 1 insecure)
Crate | Required | Latest | Status |
---|---|---|---|
encoding_rs | ^0.8 | 0.8.28 | up to date |
encoding_rs_io | ^0.1 | 0.1.7 | up to date |
flate2 | ^1.0 | 1.0.20 | up to date |
http | ^0.2 | 0.2.3 | up to date |
log | ^0.4 | 0.4.14 | up to date |
mime | ^0.3 | 0.3.16 | up to date |
multipart | ^0.17.0 | 0.17.1 | up to date |
native-tls | ^0.2 | 0.2.7 | up to date |
rustls | ^0.18 | 0.19.0 | out of date |
serde | ^1 | 1.0.123 | up to date |
serde_json | ^1 | 1.0.64 | up to date |
serde_urlencoded | ^0.6 | 0.7.0 | out of date |
url | ^2 | 2.2.1 | up to date |
webpki | ^0.21 | 0.21.4 | up to date |
webpki-roots | ^0.19 | 0.21.0 | out of date |
wildmatch | ^1 | 1.0.13 | up to date |
openssl | ^0.10 | 0.10.32 | insecure |
(8 total, 5 outdated, 2 insecure)
Crate | Required | Latest | Status |
---|---|---|---|
anyhow | ^1 | 1.0.38 | up to date |
env_logger | ^0.7 | 0.8.3 | out of date |
futures | ^0.3 | 0.3.13 | up to date |
futures-util | ^0.3 | 0.3.13 | insecure |
hyper | ^0.13 | 0.14.4 | insecure |
tokio | ^0.2 | 1.2.0 | out of date |
tokio-rustls | ^0.14 | 0.22.0 | out of date |
warp | ^0.2.3 | 0.3.0 | out of date |
openssl
: Use after free in CMS SigningAffected versions of the OpenSSL crate used structures after they'd been freed.
futures-util
: MutexGuard::map can cause a data race in safe codeAffected versions of the crate had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U.
This could of led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T.
The issue was fixed by fixing Send
and Sync
implementations, and by adding a PhantomData<&'a mut U>
marker to the MappedMutexGuard
type to tell the compiler that the guard is over
U too.
hyper
: Multiple Transfer-Encoding headers misinterprets request payloadhyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".