Deps.rs

mongodb 3.4.1

[![dependency status](https://deps.rs/crate/mongodb/3.4.1/status.svg)](https://deps.rs/crate/mongodb/3.4.1)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate mongodb

Dependencies

(59 total, 4 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 aws-config^11.8.11up to date
 aws-credential-types^1.2.41.2.10up to date
 aws-sigv4^1.3.31.3.6up to date
 base64^0.220.22.1up to date
 bitflags^22.10.0up to date
 bson^3.0.03.1.0up to date
 chrono^0.4.320.4.42up to date
 cross-krb5^0.4.20.4.2up to date
 derive-where^1.2.71.6.0up to date
 derive_more^22.0.1up to date
 flate2^1.01.1.5up to date
 futures-core^0.3.140.3.31up to date
 futures-io^0.3.210.3.31up to date
 futures-util^0.3.140.3.31up to date
 hex^0.4.00.4.3up to date
 hickory-proto^0.250.25.2up to date
 hickory-resolver^0.250.25.2up to date
 hmac^0.12.10.12.1up to date
 http^1.31.3.1up to date
 log^0.4.170.4.28up to date
 macro_magic^0.5.10.6.0out of date
 md-5^0.10.10.10.6up to date
 mongocrypt^0.3.20.3.2up to date
 mongodb-internal-macros^3.4.13.4.1up to date
 num_cpus^1.13.11.17.0up to date
 openssl ⚠️^0.10.380.10.75maybe insecure
 openssl-probe^0.1.50.1.6up to date
 opentelemetry^0.31.00.31.0up to date
 pbkdf2^0.12.00.12.2up to date
 pem^3.0.43.0.6up to date
 percent-encoding^2.0.02.3.2up to date
 pkcs8^0.10.20.10.2up to date
 rand^0.90.9.2up to date
 rayon^1.5.31.11.0up to date
 reqwest^0.12.120.12.24up to date
 rustc_version_runtime^0.3.00.3.0up to date
 rustls^0.23.200.23.35up to date
 rustversion^1.0.201.0.22up to date
 serde^1.0.1251.0.228up to date
 serde_bytes^0.11.50.11.19up to date
 serde_with^3.8.13.16.0up to date
 sha1^0.10.00.10.6up to date
 sha2^0.10.20.10.9up to date
 snap^1.0.51.1.1up to date
 socket2^0.60.6.1up to date
 stringprep^0.1.20.1.5up to date
 strsim^0.11.10.11.1up to date
 take_mut^0.2.20.2.2up to date
 thiserror^22.0.17up to date
 tokio ⚠️^1.17.01.48.0maybe insecure
 tokio-openssl^0.6.30.6.5up to date
 tokio-rustls^0.260.26.4up to date
 tokio-util^0.7.00.7.17up to date
 tracing^0.1.360.1.41up to date
 typed-builder^0.22.00.23.2out of date
 uuid^1.1.21.18.1up to date
 webpki-roots^11.0.4up to date
 windows-sys^0.600.61.2out of date
 zstd^0.11.20.13.3out of date

Dev dependencies

(22 total, 2 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.100up to date
 approx^0.5.10.5.1up to date
 backtrace^0.3.680.3.76up to date
 bson^3.0.03.1.0up to date
 chrono^0.4.320.4.42up to date
 function_name^0.2.10.3.0out of date
 futures^0.30.3.31up to date
 hex^0.40.4.3up to date
 home^0.50.5.12up to date
 lambda_runtime^0.6.01.0.1out of date
 opentelemetry_sdk^0.31.00.31.0up to date
 pkcs8^0.10.20.10.2up to date
 pretty_assertions^1.3.01.4.1up to date
 regex^1.6.01.12.2up to date
 reqwest^0.12.20.12.24up to date
 semver^1.0.01.0.27up to date
 serde>=0.0.01.0.228up to date
 serde-hex^0.1.00.1.0up to date
 serde_json^1.0.641.0.145up to date
 serde_path_to_error^0.10.1.20up to date
 time^0.3.90.3.44up to date
 tokio ⚠️>=0.0.01.48.0maybe insecure

Security Vulnerabilities

tokio: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

openssl: Use-After-Free in `Md::fetch` and `Cipher::fetch`

RUSTSEC-2025-0022

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.