This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate yubihsm

Dependencies

(22 total, 15 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 aes^0.30.8.4out of date
 bitflags^12.5.0out of date
 block-modes^0.30.9.1out of date
 chrono ⚠️^0.40.4.37maybe insecure
 cmac^0.20.7.2out of date
 getrandom^0.10.2.12out of date
 harp^0.1N/Aup to date
 hmac^0.70.12.1out of date
 log^0.40.4.21up to date
 pbkdf2^0.30.12.2out of date
 ring^0.160.17.8out of date
 rusb^0.50.9.3out of date
 secp256k1^0.170.28.2out of date
 serde^11.0.197up to date
 serde_json^11.0.115up to date
 sha2^0.80.10.8out of date
 signatory^0.170.27.1out of date
 signature^1.0.0-pre.12.2.0out of date
 subtle^22.5.0up to date
 tiny_http ⚠️^0.60.12.0out of date
 uuid^0.81.8.0out of date
 zeroize^11.7.0up to date

Dev dependencies

(5 total, 2 outdated)

CrateRequiredLatestStatus
 criterion^0.20.5.1out of date
 lazy_static^11.4.0up to date
 ring^0.160.17.8out of date
 signatory-ring^0.17N/Aup to date
 signatory-secp256k1^0.17N/Aup to date

Security Vulnerabilities

tiny_http: HTTP Request smuggling through malformed Transfer Encoding headers

RUSTSEC-2020-0031

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing.

It is possible conduct HTTP request smuggling attacks (CL:TE/TE:TE) by sending invalid Transfer Encoding headers.

By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References