iroh-quinn 0.12.0

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `iroh-quinn`

Dependencies

(17 total, 1 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
async-executor	`^1.13.0`	`1.13.1`	up to date
async-fs	`^2.1`	`2.1.2`	up to date
async-global-executor	`^2.4.1`	`2.4.1`	up to date
async-io	`^2`	`2.4.0`	up to date
async-std	`^1.12`	`1.13.0`	up to date
bytes	`^1`	`1.9.0`	up to date
futures-io	`^0.3.19`	`0.3.31`	up to date
pin-project-lite	`^0.2`	`0.2.16`	up to date
iroh-quinn-proto	`^0.12.0`	`0.12.0`	up to date
rustc-hash	`^2`	`2.1.0`	up to date
rustls ⚠️	`^0.23.5`	`0.23.21`	maybe insecure
smol	`^2`	`2.0.2`	up to date
socket2	`^0.5`	`0.5.8`	up to date
thiserror	`^1.0.21`	`2.0.11`	out of date
tokio	`^1.28.1`	`1.43.0`	up to date
tracing	`^0.1.10`	`0.1.41`	up to date
iroh-quinn-udp	`^0.5`	`0.5.5`	up to date

Dev dependencies

(13 total, 1 outdated)

Crate	Required	Latest	Status
anyhow	`^1.0.22`	`1.0.95`	up to date
bencher	`^0.1.5`	`0.1.5`	up to date
clap	`^4.5`	`4.5.27`	up to date
crc	`^3`	`3.2.1`	up to date
directories-next	`^2`	`2.0.0`	up to date
rand	`^0.8`	`0.9.0`	out of date
rcgen	`^0.13`	`0.13.2`	up to date
rustls-pemfile	`^2`	`2.2.0`	up to date
tokio	`^1.28.1`	`1.43.0`	up to date
tokio-stream	`^0.1.15`	`0.1.17`	up to date
tracing-futures	`^0.2.0`	`0.2.5`	up to date
tracing-subscriber	`^0.3.1`	`0.3.19`	up to date
url	`^2`	`2.5.4`	up to date

Security Vulnerabilities

`rustls`: rustls network-reachable panic in `Acceptor::accept`

RUSTSEC-2024-0399

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented. Only servers that use rustls::server::Acceptor::accept() are affected.

Servers that use tokio-rustls's LazyConfigAcceptor API are affected.

Servers that use tokio-rustls's TlsAcceptor API are not affected.

Servers that use rustls-ffi's rustls_acceptor_accept API are affected.