Deps.rs

SergioBenitez / Rocket

[![dependency status](https://deps.rs/repo/github/SergioBenitez/Rocket/status.svg)](https://deps.rs/repo/github/SergioBenitez/Rocket)

This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate rocket

Dependencies

(19 total, 1 outdated, 1 insecure)

CrateRequiredLatestStatus
 futures^0.3.00.3.13up to date
 yansi^0.50.5.0up to date
 log^0.40.4.14up to date
 num_cpus^1.01.13.0up to date
 state^0.4.10.4.2up to date
 time^0.2.110.2.25insecure
 memchr^22.3.4up to date
 binascii^0.10.1.4up to date
 atty^0.20.2.14up to date
 async-trait^0.10.1.42up to date
 ref-cast^1.01.0.6up to date
 atomic^0.50.5.0up to date
 parking_lot^0.110.11.1up to date
 ubyte^0.100.10.1up to date
 serde^1.01.0.123up to date
 figment^0.10.20.10.3up to date
 rand^0.70.8.3out of date
 either^11.6.1up to date
 tokio^1.01.2.0up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 bencher^0.10.1.5up to date
 figment^0.100.10.3up to date

Build dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 yansi^0.50.5.0up to date
 version_check^0.9.10.9.2up to date

Crate rocket_codegen

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 indexmap^1.01.6.1up to date
 quote^1.01.0.9up to date
 glob^0.30.3.0up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 version_check^0.90.9.2up to date
 trybuild^1.01.0.41up to date

Crate rocket_http

Dependencies

(18 total, 3 insecure)

CrateRequiredLatestStatus
 smallvec^1.01.6.1insecure
 percent-encoding^22.1.0up to date
 hyper^0.140.14.4insecure
 http^0.20.2.3up to date
 mime^0.3.130.3.16up to date
 time^0.2.110.2.25insecure
 indexmap^1.5.21.6.1up to date
 state^0.40.4.2up to date
 tokio-rustls^0.22.00.22.0up to date
 tokio^1.01.2.0up to date
 unicode-xid^0.20.2.1up to date
 log^0.40.4.14up to date
 ref-cast^1.01.0.6up to date
 uncased^0.90.9.3up to date
 parking_lot^0.110.11.1up to date
 either^11.6.1up to date
 pear^0.20.2.0up to date
 pin-project-lite^0.20.2.4up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 version_check^0.90.9.2up to date

Crate rocket_contrib

Dependencies

(24 total, 6 outdated, 1 insecure)

CrateRequiredLatestStatus
 tokio^1.01.2.0up to date
 log^0.40.4.14up to date
 serde^1.01.0.123up to date
 serde_json^1.0.261.0.62up to date
 rmp-serde^0.14.00.15.4out of date
 handlebars^3.03.5.3up to date
 glob^0.30.3.0up to date
 tera^1.0.21.6.1up to date
 notify^4.0.64.0.15up to date
 normpath^0.20.2.0up to date
 uuid>=0.7.0, <0.9.00.8.2up to date
 diesel^1.01.4.5up to date
 postgres^0.170.19.0out of date
 r2d2^0.80.8.9up to date
 r2d2_postgres^0.160.18.0out of date
 mysql^18.020.1.0out of date
 r2d2_mysql^18.018.0.0up to date
 rusqlite^0.230.24.2out of date
 r2d2_sqlite^0.160.17.0out of date
 memcache^0.150.15.0up to date
 r2d2-memcache^0.60.6.0up to date
 time^0.2.90.2.25insecure
 brotli^3.33.3.0up to date
 flate2^1.01.0.20up to date

Crate rocket_contrib_codegen

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 quote^1.01.0.9up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 trybuild^1.01.0.41up to date
 version_check^0.90.9.2up to date

Crate rocket_guide_tests

Dev dependencies

(4 total, 1 outdated)

CrateRequiredLatestStatus
 doc-comment^0.30.3.3up to date
 serde^1.01.0.123up to date
 rand^0.70.8.3out of date
 figment^0.100.10.3up to date

Crate cookies

No external dependencies! 🙌

Crate errors

No external dependencies! 🙌

Crate form_validation

No external dependencies! 🙌

Crate hello_person

No external dependencies! 🙌

Crate query_params

No external dependencies! 🙌

Crate hello_world

No external dependencies! 🙌

Crate manual_routes

No external dependencies! 🙌

Crate optional_redirect

No external dependencies! 🙌

Crate redirect

No external dependencies! 🙌

Crate static_files

No external dependencies! 🙌

Crate todo

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.123up to date
 serde_json^1.01.0.62up to date
 diesel^1.31.4.5up to date
 diesel_migrations^1.31.4.0up to date
 log^0.40.4.14up to date

Dev dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 parking_lot^0.110.11.1up to date
 rand^0.70.8.3out of date

Crate content_types

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.123up to date
 serde_json^1.01.0.62up to date

Crate ranking

No external dependencies! 🙌

Crate testing

No external dependencies! 🙌

Crate request_local_state

No external dependencies! 🙌

Crate request_guard

No external dependencies! 🙌

Crate stream

No external dependencies! 🙌

Crate json

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.123up to date
 serde_json^1.01.0.62up to date

Crate msgpack

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.123up to date

Crate handlebars_templates

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.123up to date
 serde_json^1.01.0.62up to date

Crate tera_templates

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.123up to date
 serde_json^1.01.0.62up to date

Crate form_kitchen_sink

No external dependencies! 🙌

Crate config

No external dependencies! 🙌

Crate raw_upload

No external dependencies! 🙌

Crate pastebin

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 rand^0.70.8.3out of date

Crate state

No external dependencies! 🙌

Crate managed_queue

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 crossbeam^0.70.8.0out of date

Crate uuid

No external dependencies! 🙌

Crate session

No external dependencies! 🙌

Crate raw_sqlite

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 rusqlite^0.230.24.2out of date

Crate tls

No external dependencies! 🙌

Crate fairings

No external dependencies! 🙌

Crate hello_2018

No external dependencies! 🙌

Security Vulnerabilities

time: Potential segfault in the time crate

RUSTSEC-2020-0071

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions.

The affected functions are:

  • time::UtcOffset::local_offset_at
  • time::UtcOffset::try_local_offset_at
  • time::UtcOffset::current_local_offset
  • time::UtcOffset::try_current_local_offset
  • time::OffsetDateTime::now_local
  • time::OffsetDateTime::try_now_local

Non-Unix targets are unaffected. This includes Windows and wasm.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in a the updated, unaffected code.

Workarounds

No workarounds are known.

References

#293

smallvec: Buffer overflow in SmallVec::insert_many

RUSTSEC-2021-0003

A bug in the SmallVec::insert_many method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.

This bug was only triggered if the iterator passed to insert_many yielded more items than the lower bound returned from its size_hint method.

The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of insert_many to use less unsafe code, so it is easier to verify its correctness.

Thank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.

hyper: Multiple Transfer-Encoding headers misinterprets request payload

RUSTSEC-2021-0020

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".