Deps.rs

tiny_http 0.5.9

[![dependency status](https://deps.rs/crate/tiny_http/0.5.9/status.svg)](https://deps.rs/crate/tiny_http/0.5.9)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate tiny_http

Dependencies

(7 total, 6 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 ascii^0.71.1.0out of date
 chrono ⚠️^0.2.150.4.38out of date
 chunked_transfer^0.31.5.0out of date
 encoding^0.20.2.33up to date
 log^0.30.4.22out of date
 openssl ⚠️^0.70.10.66out of date
 url^0.22.5.2out of date

Dev dependencies

(2 total, 1 outdated, 1 insecure)

CrateRequiredLatestStatus
 rustc-serialize ⚠️^0.30.3.25insecure
 sha1^0.2.00.10.6out of date

Security Vulnerabilities

openssl: SSL/TLS MitM vulnerability due to insecure defaults

RUSTSEC-2016-0001

All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification.

Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks.

The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the SslConnector and SslAcceptor types to take advantage of these new features (as opposed to the lower-level SslContext type).

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

rustc-serialize: Stack overflow in rustc_serialize when parsing deeply nested JSON

RUSTSEC-2022-0004

When parsing JSON using json::Json::from_str, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.

Example code that triggers the vulnerability is

fn main() {
    let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
}

serde is recommended as a replacement to rustc_serialize.

openssl: `openssl` `X509NameBuilder::build` returned object is not thread safe

RUSTSEC-2023-0022

OpenSSL has a modified bit that it can set on on X509_NAME objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.

Thanks to David Benjamin (Google) for reporting this issue.

openssl: `openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read

RUSTSEC-2023-0023

SubjectAlternativeName and ExtendedKeyUsage arguments were parsed using the OpenSSL function X509V3_EXT_nconf. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.

Thanks to David Benjamin (Google) for reporting this issue.

openssl: `openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference

RUSTSEC-2023-0024

These functions would crash when the context argument was None with certain extension types.

Thanks to David Benjamin (Google) for reporting this issue.

openssl: `openssl` `X509VerifyParamRef::set_host` buffer over-read

RUSTSEC-2023-0044

When this function was passed an empty string, openssl would attempt to call strlen on it, reading arbitrary memory until it reached a NUL byte.

openssl: `MemBio::get_buf` has undefined behavior with empty buffers

RUSTSEC-2024-0357

Previously, MemBio::get_buf called slice::from_raw_parts with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.