This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate http-signature-normalization-actix

Dependencies

(11 total, 7 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 actix-http ⚠️^2.0.0-alpha.23.6.0out of date
 actix-web^3.0.0-alpha.14.5.1out of date
 base64^0.110.22.0out of date
 bytes^0.5.41.6.0out of date
 chrono ⚠️^0.4.60.4.37maybe insecure
 futures^0.30.3.30up to date
 http-signature-normalization^0.4.10.7.0out of date
 log^0.40.4.21up to date
 sha2^0.80.10.8out of date
 sha3^0.80.10.8out of date
 thiserror^1.01.0.58up to date

Dev dependencies

(3 total, 3 outdated)

CrateRequiredLatestStatus
 actix^0.10.0-alpha.10.13.3out of date
 actix-rt^1.0.02.9.0out of date
 pretty_env_logger^0.40.5.0out of date

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

actix-http: Potential request smuggling capabilities due to lack of input validation

RUSTSEC-2021-0081

Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.

Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.