This project contains known security vulnerabilities. Find detailed information at the bottom.
edcert(4 total, 3 outdated, 1 insecure, 2 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| chrono ⚠️ | ^0.2 | 0.4.38 | out of date |
| rustc-serialize ⚠️ | ^0.3 | 0.3.25 | insecure |
| secrets | ^0.11.1 | 1.2.0 | out of date |
| sodiumoxide ⚠️ | ^0.0.12 | 0.2.7 | out of date |
sodiumoxide: scalarmult() vulnerable to degenerate public keysThe scalarmult() function included in previous versions of this crate
accepted all-zero public keys, for which the resulting Diffie-Hellman shared
secret will always be zero regardless of the private key used.
This issue was fixed by checking for this class of keys and rejecting them if they are used.
sodiumoxide: generichash::Digest::eq always return truePartialEq implementation for generichash::Digest has compared itself to itself.
Digest::eq always returns true and Digest::ne always returns false.
chrono: Potential segfault in `localtime_r` invocationsUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
rustc-serialize: Stack overflow in rustc_serialize when parsing deeply nested JSONWhen parsing JSON using json::Json::from_str, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.
Example code that triggers the vulnerability is
fn main() {
let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
}
serde is recommended as a replacement to rustc_serialize.