This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate attohttpc

Dependencies

(17 total, 5 outdated, 1 insecure)

CrateRequiredLatestStatus
 encoding_rs^0.80.8.28up to date
 encoding_rs_io^0.10.1.7up to date
 flate2^1.01.0.20up to date
 http^0.20.2.4up to date
 log^0.40.4.14up to date
 mime^0.30.3.16up to date
 multipart^0.17.00.17.1up to date
 native-tls^0.20.2.7up to date
 rustls^0.180.19.1out of date
 serde^11.0.125up to date
 serde_json^11.0.64up to date
 serde_urlencoded^0.60.7.0out of date
 url^22.2.1up to date
 webpki^0.210.22.0out of date
 webpki-roots^0.190.22.0out of date
 wildmatch^12.1.0out of date
 openssl^0.100.10.33insecure

Dev dependencies

(8 total, 5 outdated, 2 insecure)

CrateRequiredLatestStatus
 anyhow^11.0.40up to date
 env_logger^0.70.8.3out of date
 futures^0.30.3.14up to date
 futures-util^0.30.3.14insecure
 hyper^0.130.14.7insecure
 tokio^0.21.5.0out of date
 tokio-rustls^0.140.22.0out of date
 warp^0.2.30.3.1out of date

Security Vulnerabilities

openssl: Use after free in CMS Signing

RUSTSEC-2018-0010

Affected versions of the OpenSSL crate used structures after they'd been freed.

futures-util: MutexGuard::map can cause a data race in safe code

RUSTSEC-2020-0059

Affected versions of the crate had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U.

This could of led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T.

The issue was fixed by fixing Send and Sync implementations, and by adding a PhantomData<&'a mut U> marker to the MappedMutexGuard type to tell the compiler that the guard is over U too.

hyper: Multiple Transfer-Encoding headers misinterprets request payload

RUSTSEC-2021-0020

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".