This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate exonum

Dependencies

(31 total, 25 outdated, 3 possibly insecure)

CrateRequiredLatestStatus
 actix=0.5.80.13.3out of date
 actix-web ⚠️=0.6.154.5.1out of date
 atty=0.2.100.2.14out of date
 bit-vec=0.5.00.6.3out of date
 byteorder^1.2.31.5.0up to date
 bytes=0.4.81.6.0out of date
 chrono ⚠️=0.4.40.4.37out of date
 clap^2.31.24.5.4out of date
 colored^1.6.02.1.0out of date
 env_logger=0.5.100.11.3out of date
 exonum_rocksdb^0.7.40.7.6up to date
 exonum_sodiumoxide^0.0.200.0.24out of date
 failure^0.1.20.1.8up to date
 futures=0.1.230.3.30out of date
 hex=0.3.20.4.3out of date
 log=0.4.30.4.21out of date
 os_info^1.0.13.8.2out of date
 rand=0.4.20.8.5out of date
 rust_decimal=0.9.11.35.0out of date
 serde^1.0.101.0.197up to date
 serde_derive^1.0.641.0.197up to date
 serde_json^1.0.191.0.115up to date
 snow ⚠️=0.2.10.9.6out of date
 term=0.5.10.7.0out of date
 tokio-core=0.1.170.1.18out of date
 tokio-io=0.1.60.1.13out of date
 tokio-retry=0.1.10.3.0out of date
 tokio-timer=0.1.20.2.13out of date
 toml=0.4.60.8.12out of date
 uuid=0.6.51.8.0out of date
 vec_map=0.8.10.8.2out of date

Dev dependencies

(6 total, 4 outdated)

CrateRequiredLatestStatus
 criterion=0.2.40.5.1out of date
 lazy_static^1.0.11.4.0up to date
 num=0.2.00.4.1out of date
 pretty_assertions=0.5.11.4.0out of date
 proptest=0.7.01.4.0out of date
 tempdir=0.3.70.3.7up to date

Security Vulnerabilities

actix-web: Multiple memory safety issues

RUSTSEC-2018-0019

Affected versions contain multiple memory safety issues, such as:

  • Unsoundly coercing immutable references to mutable references
  • Unsoundly extending lifetimes of strings
  • Adding the Send marker trait to objects that cannot be safely sent between threads

This may result in a variety of memory corruption scenarios, most likely use-after-free.

A significant refactoring effort has been conducted to resolve these issues.

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

snow: Unauthenticated Nonce Increment in snow

RUSTSEC-2024-0011

There was a logic bug where unauthenticated payloads could still cause a nonce increment in snow's internal state. For an attacker with privileges to inject packets into the channel over which the Noise session operates, this could allow a denial-of-service attack which could prevent message delivery by sending garbage data.

Note that this only affects those who are using the stateful TransportState, not those using StatelessTransportState.

This has been patched in version 0.9.5, and all users are recommended to update.