This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate mail-headers

Dependencies

(11 total, 1 outdated, 2 insecure, 1 possibly insecure)

CrateRequiredLatestStatus
 chrono ⚠️^0.40.4.37maybe insecure
 failure^0.10.1.8up to date
 mail-internals ⚠️^0.2.30.2.3insecure
 media-type^0.4.0-unstable0.0.1up to date
 nom^3.1.07.1.3out of date
 owning_ref ⚠️^0.40.4.1insecure
 quoted-string^0.60.6.1up to date
 serde^1.01.0.197up to date
 soft-ascii-string^11.1.0up to date
 total-order-multi-map^0.4.50.4.6up to date
 vec1^1.3.01.12.0up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 serde_test^1.0.801.0.176up to date

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

owning_ref: Multiple soundness issues in `owning_ref`

RUSTSEC-2022-0040

  • OwningRef::map_with_owner is unsound and may result in a use-after-free.
  • OwningRef::map is unsound and may result in a use-after-free.
  • OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
  • The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.

safer_owning_ref is a replacement crate which fixes these issues. No patched versions of the original crate are available, and the maintainer is unresponsive.

mail-internals: Use-after-free in `vec_insert_bytes`

RUSTSEC-2023-0054

Incorrect reallocation logic in the function vec_insert_bytes causes a use-after-free.

This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally.

The mail-* suite is unmaintained and the upstream sources have been actively vandalised. A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.