This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate crev-lib

Dependencies

(22 total, 12 outdated, 3 possibly insecure)

CrateRequiredLatestStatus
 chrono ⚠️^0.40.4.37maybe insecure
 common_failures^0.10.2.0out of date
 crev-common^0.13.00.25.4out of date
 crev-data^0.13.00.25.7out of date
 crev-recursive-digest^0.2.10.6.0out of date
 default^0.10.1.2up to date
 directories^25.0.1out of date
 failure^0.10.1.8up to date
 git2^0.90.18.3out of date
 ifmt^0.20.3.3out of date
 insideout^0.20.2.0up to date
 log^0.40.4.21up to date
 miscreant^0.4N/Aup to date
 num_cpus^11.16.0up to date
 resiter^0.30.5.0out of date
 rust-argon2^0.52.1.0out of date
 semver^0.91.0.22out of date
 serde^11.0.197up to date
 serde_cbor ⚠️^0.100.11.2out of date
 serde_yaml ⚠️^0.80.9.34+deprecatedout of date
 tempdir^0.30.3.7up to date
 walkdir^22.5.0up to date

Security Vulnerabilities

serde_yaml: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0005

Affected versions of this crate did not properly check for recursion while deserializing aliases.

This allows an attacker to make a YAML file with an alias referring to itself causing an abort.

The flaw was corrected by checking the recursion depth.

serde_cbor: Flaw in CBOR deserializer allows stack overflow

RUSTSEC-2019-0025

Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization.

This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow.

The flaw was corrected by limiting the allowed number of nested tags.

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References