This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
mix_link(5 total, 2 outdated, 1 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| byteorder | ^1.2.2 | 1.5.0 | up to date |
| ecdh_wrapper | ^0.0.9 | 0.0.9 | up to date |
| snow ⚠️ | ^0.4.2 | 0.9.6 | out of date |
| sphinxcrypto | ^0.0.19 | 0.1.1 | out of date |
| subtle | ^2 | 2.5.0 | up to date |
(2 total, 1 outdated, 1 insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| rand | ^0.4.2 | 0.8.5 | out of date |
| rustc-serialize ⚠️ | ^0.3.24 | 0.3.25 | insecure |
rustc-serialize: Stack overflow in rustc_serialize when parsing deeply nested JSONWhen parsing JSON using json::Json::from_str, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.
Example code that triggers the vulnerability is
fn main() {
let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
}
serde is recommended as a replacement to rustc_serialize.
snow: Unauthenticated Nonce Increment in snowThere was a logic bug where unauthenticated payloads could still cause a nonce increment in snow's internal state. For an attacker with privileges to inject packets into the channel over which the Noise session operates, this could allow a denial-of-service attack which could prevent message delivery by sending garbage data.
Note that this only affects those who are using the stateful TransportState, not those using StatelessTransportState.
This has been patched in version 0.9.5, and all users are recommended to update.