This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate rocket

Dependencies

(30 total, 1 insecure)

CrateRequiredLatestStatus
 serde_json^1.0.261.0.64up to date
 rmp-serde^0.15.00.15.5up to date
 uuid^0.80.8.2up to date
 futures^0.3.00.3.16up to date
 yansi^0.50.5.0up to date
 log^0.40.4.14up to date
 num_cpus^1.01.13.0up to date
 time^0.2.110.2.27insecure
 memchr^22.4.0up to date
 binascii^0.10.1.4up to date
 atty^0.20.2.14up to date
 ref-cast^1.01.0.6up to date
 atomic^0.50.5.0up to date
 parking_lot^0.110.11.1up to date
 ubyte^0.100.10.1up to date
 serde^1.01.0.126up to date
 figment^0.10.60.10.6up to date
 rand^0.80.8.4up to date
 either^11.6.1up to date
 pin-project-lite^0.20.2.7up to date
 indexmap^1.01.7.0up to date
 tempfile^33.2.0up to date
 async-trait^0.1.430.1.50up to date
 async-stream^0.3.20.3.2up to date
 multer^22.0.0up to date
 tokio-stream^0.1.60.1.7up to date
 state^0.5.10.5.2up to date
 tokio^1.6.11.9.0up to date
 tokio-util^0.60.6.7up to date
 bytes^1.01.0.1up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 figment^0.100.10.6up to date
 pretty_assertions^0.70.7.2up to date

Build dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 yansi^0.50.5.0up to date
 version_check^0.9.10.9.3up to date

Crate rocket_codegen

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 indexmap^1.01.7.0up to date
 quote^1.01.0.9up to date
 syn^1.0.721.0.74up to date
 proc-macro2^1.0.271.0.28up to date
 devise^0.30.3.0up to date
 unicode-xid^0.20.2.2up to date
 glob^0.30.3.0up to date

Dev dependencies

(4 total, 1 insecure)

CrateRequiredLatestStatus
 pretty_assertions^0.70.7.2up to date
 version_check^0.90.9.3up to date
 trybuild^1.01.0.42up to date
 time^0.2.110.2.27insecure

Crate rocket_http

Dependencies

(24 total, 2 insecure)

CrateRequiredLatestStatus
 smallvec^1.01.6.1insecure
 percent-encoding^22.1.0up to date
 http^0.20.2.4up to date
 mime^0.3.130.3.16up to date
 time^0.2.110.2.27insecure
 indexmap^1.5.21.7.0up to date
 rustls^0.190.19.1up to date
 tokio-rustls^0.22.00.22.0up to date
 tokio^1.6.11.9.0up to date
 log^0.40.4.14up to date
 ref-cast^1.01.0.6up to date
 uncased^0.9.60.9.6up to date
 parking_lot^0.110.11.1up to date
 either^11.6.1up to date
 pear^0.2.30.2.3up to date
 pin-project-lite^0.20.2.7up to date
 memchr^22.4.0up to date
 stable-pattern^0.10.1.0up to date
 cookie^0.150.15.1up to date
 state^0.5.10.5.2up to date
 x509-parser^0.9.20.9.2up to date
 hyper^0.14.90.14.11up to date
 serde^1.01.0.126up to date
 uuid^0.80.8.2up to date

Crate rocket_db_pools_codegen

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 devise^0.30.3.0up to date
 quote^11.0.9up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 trybuild^1.01.0.42up to date
 version_check^0.90.9.3up to date

Crate rocket_db_pools

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 deadpool^0.80.8.2up to date
 deadpool-postgres^0.90.9.0up to date
 deadpool-redis^0.8.10.8.1up to date
 mongodb^11.2.2up to date
 sqlx^0.50.5.5up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 version_check^0.90.9.3up to date

Crate rocket_sync_db_pools_codegen

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 quote^1.01.0.9up to date
 devise^0.30.3.0up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 version_check^0.90.9.3up to date
 trybuild^1.01.0.42up to date

Crate rocket_sync_db_pools

Dependencies

(10 total, 1 insecure)

CrateRequiredLatestStatus
 r2d2^0.80.8.9up to date
 tokio^1.6.11.9.0up to date
 serde^1.01.0.126up to date
 diesel^1.01.4.7insecure
 postgres^0.190.19.1up to date
 r2d2_postgres^0.180.18.0up to date
 rusqlite^0.250.25.3up to date
 r2d2_sqlite^0.180.18.0up to date
 memcache^0.150.15.0up to date
 r2d2-memcache^0.60.6.0up to date

Crate rocket_dyn_templates

Dependencies

(5 total, 1 outdated)

CrateRequiredLatestStatus
 glob^0.30.3.0up to date
 notify^4.0.64.0.17up to date
 normpath^0.30.3.0up to date
 tera^1.10.01.12.1up to date
 handlebars^3.04.1.0out of date

Crate rocket_guide_tests

Dev dependencies

(4 total, 1 insecure)

CrateRequiredLatestStatus
 serde^1.01.0.126up to date
 rand^0.80.8.4up to date
 figment^0.100.10.6up to date
 time^0.20.2.27insecure

Security Vulnerabilities

time: Potential segfault in the time crate

RUSTSEC-2020-0071

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions.

The affected functions are:

  • time::UtcOffset::local_offset_at
  • time::UtcOffset::try_local_offset_at
  • time::UtcOffset::current_local_offset
  • time::UtcOffset::try_current_local_offset
  • time::OffsetDateTime::now_local
  • time::OffsetDateTime::try_now_local

Non-Unix targets are unaffected. This includes Windows and wasm.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in a the updated, unaffected code.

Workarounds

No workarounds are known.

References

#293

smallvec: Buffer overflow in SmallVec::insert_many

RUSTSEC-2021-0003

A bug in the SmallVec::insert_many method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.

This bug was only triggered if the iterator passed to insert_many yielded more items than the lower bound returned from its size_hint method.

The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of insert_many to use less unsafe code, so it is easier to verify its correctness.

Thank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.

diesel: Fix a use-after-free bug in diesels Sqlite backend

RUSTSEC-2021-0037

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.