This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate aws-smithy-runtime

Dependencies

(23 total, 5 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 aws-smithy-async^1.2.11.2.2up to date
 aws-smithy-http^0.60.110.60.11up to date
 aws-smithy-protocol-test^0.63.00.63.0up to date
 aws-smithy-runtime-api^1.7.31.7.3up to date
 aws-smithy-types^1.2.91.2.10up to date
 bytes^11.9.0up to date
 fastrand^2.0.02.3.0up to date
 h2 ⚠️^0.30.4.7out of date
 http^0.2.81.2.0out of date
 http-body^11.0.1up to date
 httparse^1.8.01.9.5up to date
 hyper^0.14.261.5.2out of date
 hyper-rustls^0.240.27.5out of date
 indexmap^22.7.0up to date
 once_cell^1.18.01.20.2up to date
 pin-project-lite^0.2.70.2.15up to date
 pin-utils^0.1.00.1.0up to date
 rustls ⚠️^0.21.80.23.20out of date
 serde^11.0.216up to date
 serde_json^11.0.134up to date
 tokio^1.251.42.0up to date
 tracing^0.1.370.1.41up to date
 tracing-subscriber^0.3.160.3.19up to date

Dev dependencies

(12 total, 2 outdated)

CrateRequiredLatestStatus
 approx^0.5.10.5.1up to date
 aws-smithy-async^1.2.11.2.2up to date
 aws-smithy-runtime-api^1.7.31.7.3up to date
 aws-smithy-types^1.2.91.2.10up to date
 fastrand~2.0.02.3.0out of date
 futures-util^0.3.290.3.31up to date
 http^11.2.0up to date
 hyper^0.14.271.5.2out of date
 pretty_assertions^1.4.01.4.1up to date
 tokio^1.251.42.0up to date
 tracing-subscriber^0.3.160.3.19up to date
 tracing-test^0.2.10.2.5up to date

Security Vulnerabilities

h2: Degradation of service in h2 servers with CONTINUATION Flood

RUSTSEC-2024-0332

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.

More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.

rustls: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

RUSTSEC-2024-0336

If a close_notify alert is received during a handshake, complete_io does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io and are not affected.

rustls::Stream and rustls::StreamOwned types use complete_io and are affected.