This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate reqwest

Dependencies

(40 total, 4 outdated, 3 insecure)

CrateRequiredLatestStatus
 bytes^1.01.0.1up to date
 http^0.20.2.4up to date
 mime_guess^2.02.0.3up to date
 serde^1.01.0.125up to date
 serde_json^1.01.0.64up to date
 serde_urlencoded^0.70.7.0up to date
 url^2.22.2.1up to date
 async-compression^0.3.70.3.8up to date
 base64^0.130.13.0up to date
 cookie^0.140.15.0out of date
 cookie_store^0.120.13.3out of date
 encoding_rs^0.80.8.28up to date
 futures-core^0.3.00.3.14up to date
 futures-util^0.3.00.3.14insecure
 http-body^0.4.00.4.1up to date
 hyper^0.140.14.7insecure
 hyper-rustls^0.22.10.22.1up to date
 hyper-tls^0.50.5.0up to date
 ipnet^2.32.3.0up to date
 lazy_static^1.41.4.0up to date
 log^0.40.4.14up to date
 mime^0.3.160.3.16up to date
 native-tls^0.2.70.2.7up to date
 percent-encoding^2.12.1.0up to date
 pin-project-lite^0.2.00.2.6up to date
 rustls^0.190.19.1up to date
 rustls-native-certs^0.50.5.0up to date
 time^0.2.110.2.26insecure
 tokio^1.01.5.0up to date
 tokio-native-tls^0.3.00.3.0up to date
 tokio-rustls^0.220.22.0up to date
 tokio-socks^0.5.10.5.1up to date
 tokio-util^0.6.00.6.6up to date
 trust-dns-resolver^0.200.20.2up to date
 webpki-roots^0.210.22.0out of date
 js-sys^0.3.450.3.50up to date
 wasm-bindgen^0.2.680.2.73up to date
 wasm-bindgen-futures^0.4.180.4.23up to date
 web-sys^0.3.250.3.50up to date
 winreg^0.70.8.0out of date

Dev dependencies

(8 total, 1 insecure)

CrateRequiredLatestStatus
 brotli^3.3.03.3.0up to date
 doc-comment^0.30.3.3up to date
 env_logger^0.80.8.3up to date
 hyper^0.140.14.7insecure
 libflate^1.01.1.0up to date
 serde^1.01.0.125up to date
 tokio^1.01.5.0up to date
 wasm-bindgen-test^0.30.3.23up to date

Security Vulnerabilities

futures-util: MutexGuard::map can cause a data race in safe code

RUSTSEC-2020-0059

Affected versions of the crate had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U.

This could of led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T.

The issue was fixed by fixing Send and Sync implementations, and by adding a PhantomData<&'a mut U> marker to the MappedMutexGuard type to tell the compiler that the guard is over U too.

time: Potential segfault in the time crate

RUSTSEC-2020-0071

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions.

The affected functions are:

  • time::UtcOffset::local_offset_at
  • time::UtcOffset::try_local_offset_at
  • time::UtcOffset::current_local_offset
  • time::UtcOffset::try_current_local_offset
  • time::OffsetDateTime::now_local
  • time::OffsetDateTime::try_now_local

Non-Unix targets are unaffected. This includes Windows and wasm.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in a the updated, unaffected code.

Workarounds

No workarounds are known.

References

#293

hyper: Multiple Transfer-Encoding headers misinterprets request payload

RUSTSEC-2021-0020

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".