Deps.rs

solicit 0.4.4

[![dependency status](https://deps.rs/crate/solicit/0.4.4/status.svg)](https://deps.rs/crate/solicit/0.4.4)

This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate solicit

Dependencies

(3 total, 2 outdated, 1 insecure, 1 possibly insecure)

CrateRequiredLatestStatus
 hpack ⚠️^0.20.3.0insecure
 log^0.30.4.27out of date
 openssl ⚠️*0.10.73maybe insecure

Security Vulnerabilities

hpack: HPACK decoder panics on invalid input

RUSTSEC-2023-0085

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

openssl: Use-After-Free in `Md::fetch` and `Cipher::fetch`

RUSTSEC-2025-0022

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.