Deps.rs

matrix-sdk-crypto 0.6.0

[![dependency status](https://deps.rs/crate/matrix-sdk-crypto/0.6.0/status.svg)](https://deps.rs/crate/matrix-sdk-crypto/0.6.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate matrix-sdk-crypto

Dependencies

(26 total, 13 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 aes^0.8.10.8.4up to date
 async-trait^0.1.530.1.88up to date
 atomic^0.5.10.6.0out of date
 base64^0.13.00.22.1out of date
 bs58^0.4.00.5.1out of date
 byteorder^1.4.31.5.0up to date
 ctr^0.9.10.9.2up to date
 dashmap^5.2.06.1.0out of date
 event-listener^2.5.25.4.0out of date
 futures-util^0.3.210.3.31up to date
 hmac^0.12.10.12.1up to date
 http^0.2.61.3.1out of date
 matrix-sdk-common^0.6.00.11.0out of date
 matrix-sdk-qrcode^0.4.00.11.0out of date
 olm-rs^2.2.02.2.0up to date
 pbkdf2^0.11.00.12.2out of date
 rand^0.8.50.9.1out of date
 ruma^0.7.00.12.2out of date
 serde^1.0.1361.0.219up to date
 serde_json^1.0.791.0.140up to date
 sha2^0.10.20.10.9up to date
 thiserror^1.0.302.0.12out of date
 tokio ⚠️^1.181.45.0maybe insecure
 tracing^0.1.340.1.41up to date
 vodozemac ⚠️^0.3.00.9.0out of date
 zeroize^1.3.01.8.1up to date

Dev dependencies

(7 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 futures^0.3.210.3.31up to date
 http^0.2.61.3.1out of date
 indoc^1.0.42.0.6out of date
 matches^0.1.90.1.10up to date
 matrix-sdk-test^0.6.00.11.0out of date
 proptest^1.0.01.6.0up to date
 tokio ⚠️^1.7.01.45.0maybe insecure

Security Vulnerabilities

tokio: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

vodozemac: Usage of non-constant time base64 decoder could lead to leakage of secret key material

RUSTSEC-2024-0354

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack.

Impact

The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material.

The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper[1].