Deps.rs

webc 6.1.0

[![dependency status](https://deps.rs/crate/webc/6.1.0/status.svg)](https://deps.rs/crate/webc/6.1.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate webc

Dependencies

(27 total, 2 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.92up to date
 base64^0.22.00.22.1up to date
 bytes^11.8.0up to date
 cfg-if^1.0.01.0.0up to date
 ciborium^0.2.20.2.2up to date
 document-features^0.2.80.2.10up to date
 flate2^11.0.34up to date
 ignore^0.4.220.4.23up to date
 indexmap^1.9.22.6.0out of date
 leb128^0.2.10.2.5up to date
 lexical-sort^0.3.10.3.1up to date
 libc^0.2.1530.2.161up to date
 once_cell^11.20.2up to date
 path-clean^1.01.0.1up to date
 rand^0.8.50.8.5up to date
 semver^1.0.181.0.23up to date
 sequoia-openpgp ⚠️^1.8.01.21.2maybe insecure
 serde^11.0.214up to date
 serde_json^11.0.132up to date
 sha2^0.10.20.10.8up to date
 shared-buffer^0.1.20.1.4up to date
 tar^0.4.390.4.43up to date
 tempfile^3.3.03.13.0up to date
 thiserror^11.0.68up to date
 toml^0.8.130.8.19up to date
 url^2.2.22.5.3up to date
 wasmer-config^0.8.00.10.0out of date

Dev dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 hexdump^0.1.10.1.2up to date
 insta^11.41.1up to date
 pretty_assertions^1.2.11.4.1up to date
 regex^1.9.11.11.1up to date
 tempfile^3.3.03.13.0up to date
 ureq^2.7.12.10.1up to date

Security Vulnerabilities

sequoia-openpgp: Low severity (DoS) vulnerability in sequoia-openpgp

RUSTSEC-2024-0345

There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop.

The fix introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert.

Affected software

  • sequoia-openpgp 1.13.0
  • sequoia-openpgp 1.14.0
  • sequoia-openpgp 1.15.0
  • sequoia-openpgp 1.16.0
  • sequoia-openpgp 1.17.0
  • sequoia-openpgp 1.18.0
  • sequoia-openpgp 1.19.0
  • sequoia-openpgp 1.20.0
  • Any software built against a vulnerable version of sequoia-openpgp which is directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.