Deps.rs

mbedtls 0.4.0

[![dependency status](https://deps.rs/crate/mbedtls/0.4.0/status.svg)](https://deps.rs/crate/mbedtls/0.4.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate mbedtls

Dependencies

(12 total, 6 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 bitflags^12.5.0out of date
 block-modes^0.30.9.1out of date
 byteorder^1.0.01.5.0up to date
 chrono ⚠️^0.40.4.38maybe insecure
 core_io^0.10.1.20210325up to date
 mbedtls-sys-auto^2.18.02.28.7up to date
 rc2^0.30.8.1out of date
 rs-libc^0.1.00.2.4out of date
 serde^1.0.71.0.198up to date
 serde_derive^1.0.71.0.198up to date
 spin ⚠️^0.4.00.9.8out of date
 yasna^0.20.5.2out of date

Dev dependencies

(4 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 hex^0.30.4.3out of date
 libc^0.2.00.2.153up to date
 rand^0.4.00.8.5out of date
 serde_cbor ⚠️^0.60.11.2out of date

Security Vulnerabilities

spin: Wrong memory orderings in RwLock potentially violates mutual exclusion

RUSTSEC-2019-0013

Wrong memory orderings inside the RwLock implementation allow for two writers to acquire the lock at the same time. The drop implementation used Ordering::Relaxed, which allows the compiler or CPU to reorder a mutable access on the locked data after the lock has been yielded.

Only users of the RwLock implementation are affected. Users of Once (including users of lazy_static with the spin_no_std feature enabled) are NOT affected.

On strongly ordered CPU architectures like x86, the only real way that this would lead to a memory corruption is if the compiler reorders an access after the lock is yielded, which is possible but in practice unlikely. It is a more serious issue on weakly ordered architectures such as ARM which, except in the presence of certain instructions, allow the hardware to decide which accesses are seen at what times. Therefore on an ARM system it is likely that using the wrong memory ordering would result in a memory corruption, even if the compiler itself doesn't reorder the memory accesses in a buggy way.

The flaw was corrected by https://github.com/mvdnes/spin-rs/pull/66.

serde_cbor: Flaw in CBOR deserializer allows stack overflow

RUSTSEC-2019-0025

Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization.

This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow.

The flaw was corrected by limiting the allowed number of nested tags.

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References