This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
solana-sdk(25 total, 16 outdated, 2 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| assert_matches | ^1.3.0 | 1.5.0 | up to date |
| bincode | ^1.2.1 | 2.0.1 | out of date |
| bs58 | ^0.3.0 | 0.5.1 | out of date |
| byteorder | ^1.3.2 | 1.5.0 | up to date |
| ed25519-dalek ⚠️ | =1.0.0-pre.1 | 2.2.0 | out of date |
| generic-array ⚠️ | ^0.13.2 | 1.3.5 | out of date |
| hex | ^0.4.0 | 0.4.3 | up to date |
| hmac | ^0.7.0 | 0.12.1 | out of date |
| itertools | ^0.8.2 | 0.14.0 | out of date |
| log | ^0.4.8 | 0.4.29 | up to date |
| memmap | ^0.6.2 | 0.7.0 | out of date |
| num-derive | ^0.3 | 0.4.2 | out of date |
| num-traits | ^0.2 | 0.2.19 | up to date |
| pbkdf2 | ^0.3.0 | 0.12.2 | out of date |
| rand | ^0.6.5 | 0.9.2 | out of date |
| rand_chacha | ^0.1.1 | 0.9.0 | out of date |
| serde | ^1.0.104 | 1.0.228 | up to date |
| serde_bytes | ^0.11 | 0.11.19 | up to date |
| serde_derive | ^1.0.103 | 1.0.228 | up to date |
| serde_json | ^1.0.44 | 1.0.145 | up to date |
| sha2 | ^0.8.0 | 0.10.9 | out of date |
| solana-crate-features | ^0.22.8 | 1.8.16 | out of date |
| solana-logger | ^0.22.8 | 3.0.0 | out of date |
| solana-sdk-macro | ^0.22.8 | 3.0.0 | out of date |
| thiserror | ^1.0 | 2.0.17 | out of date |
(1 total, 1 outdated)
| Crate | Required | Latest | Status |
|---|---|---|---|
| tiny-bip39 | ^0.6.2 | 2.0.0 | out of date |
generic-array: arr! macro erases lifetimesAffected versions of this crate allowed unsoundly extending
lifetimes using arr! macro. This may result in a variety of
memory corruption scenarios, most likely use-after-free.
ed25519-dalek: Double Public Key Signing Function Oracle Attack on `ed25519-dalek`Versions of ed25519-dalek prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.
Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S part of the signature,
but not in the R value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R and only differ on the S part.
Unfortunately, when this happens, one can easily extract the private key.
Revised public APIs in v2.0 of ed25519-dalek do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.