This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate solana

Dependencies

(39 total, 27 outdated, 4 possibly insecure)

CrateRequiredLatestStatus
 bincode^1.1.21.3.3up to date
 bs58^0.2.00.5.1out of date
 byteorder^1.3.11.5.0up to date
 chrono ⚠️^0.4.00.4.37maybe insecure
 hashbrown^0.1.80.14.3out of date
 indexmap^1.02.2.6out of date
 itertools^0.8.00.12.1out of date
 jsonrpc-core^10.1.018.0.0out of date
 jsonrpc-derive^10.1.018.0.0out of date
 jsonrpc-http-server^10.1.018.0.0out of date
 jsonrpc-pubsub^10.1.018.0.0out of date
 jsonrpc-ws-server^10.1.018.0.0out of date
 libc^0.2.500.2.153up to date
 log^0.4.20.4.21up to date
 memmap^0.7.00.7.0up to date
 nix^0.13.00.28.0out of date
 rand^0.6.50.8.5out of date
 rand_chacha^0.1.10.3.1out of date
 rayon^1.0.01.10.0up to date
 reqwest^0.9.110.12.2out of date
 ring^0.13.20.17.8out of date
 rocksdb ⚠️^0.11.00.22.0out of date
 serde^1.0.891.0.197up to date
 serde_derive^1.0.881.0.197up to date
 serde_json^1.0.391.0.115up to date
 solana-budget-api^0.12.00.20.5out of date
 solana-drone^0.12.0N/Aup to date
 solana-logger^0.12.01.18.8out of date
 solana-metrics^0.12.01.18.8out of date
 solana-netutil^0.12.00.20.5out of date
 solana-runtime^0.12.01.18.8out of date
 solana-sdk^0.12.01.18.8out of date
 solana-storage-api^0.12.00.20.5out of date
 solana-vote-api^0.12.00.20.5out of date
 solana-vote-signer^0.12.01.4.28out of date
 sys-info ⚠️^0.5.60.9.1out of date
 tokio ⚠️^0.11.36.0out of date
 tokio-codec^0.10.1.2up to date
 untrusted^0.6.20.9.0out of date

Dev dependencies

(4 total, 3 outdated)

CrateRequiredLatestStatus
 hex-literal^0.1.30.4.1out of date
 matches^0.1.60.1.10up to date
 solana-budget-program^0.12.01.7.0out of date
 solana-vote-program^0.12.01.18.8out of date

Security Vulnerabilities

sys-info: Double free when calling `sys_info::disk_info` from multiple threads

RUSTSEC-2020-0100

Affected versions of sys-info use a static, global, list to store temporary disk information while running. The function that cleans up this list, DFCleanup, assumes a single threaded environment and will try to free the same memory twice in a multithreaded environment.

This results in consistent double-frees and segfaults when calling sys_info::disk_info from multiple threads at once.

The issue was fixed by moving the global variable into a local scope.

Safer Alternatives:

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

tokio: Data race when sending and receiving after closing a `oneshot` channel

RUSTSEC-2021-0124

If a tokio::sync::oneshot channel is closed (via the oneshot::Receiver::close method), a data race may occur if the oneshot::Sender::send method is called while the corresponding oneshot::Receiver is awaited or calling try_recv.

When these methods are called concurrently on a closed channel, the two halves of the channel can concurrently access a shared memory location, resulting in a data race. This has been observed to cause memory corruption.

Note that the race only occurs when both halves of the channel are used after the Receiver half has called close. Code where close is not used, or where the Receiver is not awaited and try_recv is not called after calling close, is not affected.

See tokio#4225 for more details.

rocksdb: Out-of-bounds read when opening multiple column families with TTL

RUSTSEC-2022-0046

Affected versions of this crate called the RocksDB C API rocksdb_open_column_families_with_ttl() with a pointer to a single integer TTL value, but one TTL value for each column family is expected.

This is only relevant when using rocksdb::DBWithThreadMode::open_cf_descriptors_with_ttl() with multiple column families.

This bug has been fixed in v0.19.0.