imager 0.0.6

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `imager`

Dependencies

(21 total, 11 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
actix-web	`^1.0.8`	`4.5.1`	out of date
clap	`^2.33`	`4.5.4`	out of date
colourado	`^0.2.0`	`0.2.0`	up to date
either	`^1`	`1.11.0`	up to date
futures	`^0.1.29`	`0.3.30`	out of date
glob	`^0.3`	`0.3.1`	up to date
http ⚠️	`^0.1.18`	`1.1.0`	out of date
image	`^0.22`	`0.25.1`	out of date
imageproc	`^0.19`	`0.24.0`	out of date
indicatif	`^0.12.0`	`0.17.8`	out of date
itertools	`^0.8.0`	`0.12.1`	out of date
lazy_static	`^1.4.0`	`1.4.0`	up to date
libc	`^0.2`	`0.2.153`	up to date
mozjpeg-sys	`^0.10`	`2.1.0`	out of date
rand	`^0.7`	`0.8.5`	out of date
rayon	`^1.1.0`	`1.10.0`	up to date
serde	`^1.0`	`1.0.198`	up to date
serde_json	`^1.0`	`1.0.116`	up to date
structopt	`^0.2`	`0.3.26`	out of date
tempfile	`^3.1.0`	`3.10.1`	up to date
vmaf-sys	`^0.0.10`	`0.0.10`	up to date

Security Vulnerabilities

`http`: Integer Overflow in HeaderMap::reserve() can cause Denial of Service

RUSTSEC-2019-0033

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate.

`http`: HeaderMap::Drain API is unsound

RUSTSEC-2019-0034

Affected versions of this crate incorrectly used raw pointer, which introduced unsoundness in its public safe API.

Failing to drop the Drain struct causes double-free, and it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation.