Deps.rs

JaderDias / aws-activity-pub

[![dependency status](https://deps.rs/repo/github/JaderDias/aws-activity-pub/status.svg)](https://deps.rs/repo/github/JaderDias/aws-activity-pub)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate aws-activitypub

Dev dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^1.0.931.0.140up to date
 time^0.30.3.40up to date
 tokio^1.271.44.1up to date

Crate library

Dependencies

(20 total, 7 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 aws-config^0.55.01.6.0out of date
 aws-sdk-dynamodb^0.251.69.0out of date
 base64^0.21.00.22.1out of date
 hex^0.4.30.4.3up to date
 http^0.2.91.3.1out of date
 openssl ⚠️^0.10.490.10.71maybe insecure
 rand^0.8.50.9.0out of date
 regex^1.7.11.11.1up to date
 serde_bytes^0.11.90.11.17up to date
 reqwest^0.11.140.12.15out of date
 rocket^0.5.0-rc.30.5.1up to date
 serde^1.0.1521.0.219up to date
 serde_dynamo^4.24.2.14up to date
 serde_json^1.0.931.0.140up to date
 time^0.30.3.40up to date
 tokio^1.271.44.1up to date
 tracing^0.1.370.1.41up to date
 tracing-appender^0.2.20.2.3up to date
 tracing-log^0.1.30.2.0out of date
 tracing-subscriber^0.3.160.3.19up to date

Security Vulnerabilities

openssl: ssl::select_next_proto use after free

RUSTSEC-2025-0004

In openssl versions before 0.10.70, ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});