This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate libp2p-quic

Dependencies

(17 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 async-std^1.12.01.13.0up to date
 bytes^1.6.01.9.0up to date
 futures^0.3.300.3.31up to date
 futures-timer^3.0.33.0.3up to date
 if-watch^3.2.03.2.1up to date
 libp2p-core^0.42.00.42.0up to date
 libp2p-identity^0.2.90.2.10up to date
 libp2p-tls^0.5.00.5.0up to date
 parking_lot^0.12.30.12.3up to date
 quinn^0.11.20.11.6up to date
 rand^0.8.50.8.5up to date
 ring^0.17.80.17.8up to date
 rustls ⚠️^0.23.90.23.20maybe insecure
 socket2^0.5.70.5.8up to date
 thiserror^1.0.612.0.7out of date
 tokio^1.381.42.0up to date
 tracing^0.1.370.1.41up to date

Dev dependencies

(8 total, all up-to-date)

CrateRequiredLatestStatus
 async-std^1.12.01.13.0up to date
 libp2p-identity^0.2.90.2.10up to date
 libp2p-noise^0.45.00.45.0up to date
 libp2p-tcp^0.42.00.42.0up to date
 libp2p-yamux^0.46.00.46.0up to date
 quickcheck^11.0.3up to date
 tokio^1.381.42.0up to date
 tracing-subscriber^0.30.3.19up to date

Security Vulnerabilities

rustls: rustls network-reachable panic in `Acceptor::accept`

RUSTSEC-2024-0399

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented. Only servers that use rustls::server::Acceptor::accept() are affected.

Servers that use tokio-rustls's LazyConfigAcceptor API are affected.

Servers that use tokio-rustls's TlsAcceptor API are not affected.

Servers that use rustls-ffi's rustls_acceptor_accept API are affected.