This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate reqwest

Dependencies

(39 total, 16 outdated, 2 insecure)

CrateRequiredLatestStatus
 bytes^0.51.0.1out of date
 http^0.20.2.4up to date
 mime_guess^2.02.0.3up to date
 serde^1.01.0.127up to date
 serde_json^1.01.0.66up to date
 serde_urlencoded^0.70.7.0up to date
 url^2.22.2.2up to date
 async-compression^0.3.00.3.8up to date
 base64^0.130.13.0up to date
 cookie^0.140.15.1out of date
 cookie_store^0.120.15.0out of date
 encoding_rs^0.80.8.28up to date
 futures-core^0.3.00.3.16up to date
 futures-util^0.3.00.3.16up to date
 http-body^0.3.00.4.2out of date
 hyper^0.13.40.14.11insecure
 hyper-rustls^0.210.22.1out of date
 hyper-tls^0.40.5.0out of date
 ipnet^2.32.3.1up to date
 lazy_static^1.41.4.0up to date
 log^0.40.4.14up to date
 mime^0.3.70.3.16up to date
 native-tls^0.20.2.7up to date
 percent-encoding^2.12.1.0up to date
 pin-project-lite^0.2.00.2.7up to date
 rustls^0.180.19.1out of date
 rustls-native-certs^0.40.5.0out of date
 time^0.2.110.3.0insecure
 tokio^0.2.51.9.0out of date
 tokio-rustls^0.140.22.0out of date
 tokio-socks^0.30.5.1out of date
 tokio-tls^0.3.00.3.1up to date
 trust-dns-resolver^0.190.20.3out of date
 webpki-roots^0.200.22.0out of date
 js-sys^0.3.450.3.52up to date
 wasm-bindgen^0.2.680.2.75up to date
 wasm-bindgen-futures^0.4.180.4.25up to date
 web-sys^0.3.250.3.52up to date
 winreg^0.70.9.0out of date

Dev dependencies

(8 total, 3 outdated, 1 insecure)

CrateRequiredLatestStatus
 brotli^3.3.03.3.2up to date
 doc-comment^0.30.3.3up to date
 env_logger^0.70.9.0out of date
 hyper^0.130.14.11insecure
 libflate^1.01.1.0up to date
 serde^1.01.0.127up to date
 tokio^0.2.01.9.0out of date
 wasm-bindgen-test^0.30.3.25up to date

Security Vulnerabilities

time: Potential segfault in the time crate

RUSTSEC-2020-0071

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions.

The affected functions are:

  • time::UtcOffset::local_offset_at
  • time::UtcOffset::try_local_offset_at
  • time::UtcOffset::current_local_offset
  • time::UtcOffset::try_current_local_offset
  • time::OffsetDateTime::now_local
  • time::OffsetDateTime::try_now_local

Non-Unix targets are unaffected. This includes Windows and wasm.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in a the updated, unaffected code.

Workarounds

No workarounds are known.

References

#293

hyper: Multiple Transfer-Encoding headers misinterprets request payload

RUSTSEC-2021-0020

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".