actix / actix-net

Crate	Required	Latest	Status
bitflags	`^2`	`2.9.0`	up to date
bytes	`^1`	`1.10.0`	up to date
futures-core	`^0.3.7`	`0.3.31`	up to date
futures-sink	`^0.3.7`	`0.3.31`	up to date
memchr	`^2.3`	`2.7.4`	up to date
pin-project-lite	`^0.2`	`0.2.16`	up to date
tokio	`^1.23.1`	`1.43.0`	up to date
tokio-util	`^0.7`	`0.7.13`	up to date
tracing	`^0.1.30`	`0.1.41`	up to date

Crate	Required	Latest	Status
criterion	`^0.5`	`0.5.1`	up to date
tokio-test	`^0.4.2`	`0.4.4`	up to date

Crate	Required	Latest	Status
quote	`^1`	`1.0.38`	up to date
syn	`^2`	`2.0.98`	up to date

Crate	Required	Latest	Status
actix-rt	`^2`	`2.10.0`	up to date
futures-util	`^0.3.17`	`0.3.31`	up to date
rustversion-msrv	`^0.100`	`0.100.0`	up to date
trybuild	`^1`	`1.0.103`	up to date

Crate	Required	Latest	Status
actix-macros	`^0.2.3`	`0.2.4`	up to date
futures-core	`^0.3`	`0.3.31`	up to date
tokio	`^1.23.1`	`1.43.0`	up to date

Crate	Required	Latest	Status
tokio	`^1.23.1`	`1.43.0`	up to date

Crate	Required	Latest	Status
actix-rt	`^2.10`	`2.10.0`	up to date
actix-service	`^2`	`2.0.2`	up to date
actix-utils	`^3`	`3.0.1`	up to date
futures-core	`^0.3.17`	`0.3.31`	up to date
futures-util	`^0.3.17`	`0.3.31`	up to date
mio	`^1`	`1.0.3`	up to date
socket2	`^0.5`	`0.5.8`	up to date
tokio	`^1.23.1`	`1.43.0`	up to date
tracing	`^0.1.30`	`0.1.41`	up to date

Crate	Required	Latest	Status
actix-codec	`^0.5`	`0.5.2`	up to date
actix-rt	`^2.8`	`2.10.0`	up to date
bytes	`^1`	`1.10.0`	up to date
futures-util	`^0.3.17`	`0.3.31`	up to date
pretty_env_logger	`^0.5`	`0.5.0`	up to date
tokio	`^1.23.1`	`1.43.0`	up to date

Crate	Required	Latest	Status
futures-core	`^0.3.17`	`0.3.31`	up to date
paste	`^1`	`1.0.15`	up to date
pin-project-lite	`^0.2`	`0.2.16`	up to date

Crate	Required	Latest	Status
actix-rt	`^2`	`2.10.0`	up to date
actix-utils	`^3`	`3.0.1`	up to date
futures-util	`^0.3.17`	`0.3.31`	up to date

Crate	Required	Latest	Status
actix-rt	`^2.2`	`2.10.0`	up to date
actix-service	`^2`	`2.0.2`	up to date
actix-utils	`^3`	`3.0.1`	up to date
futures-core	`^0.3.7`	`0.3.31`	up to date
impl-more	`^0.1`	`0.1.9`	up to date
pin-project-lite	`^0.2.7`	`0.2.16`	up to date
tokio	`^1.23.1`	`1.43.0`	up to date
tokio-util	`^0.7`	`0.7.13`	up to date
tracing	`^0.1.30`	`0.1.41`	up to date
http	`^1`	`1.2.0`	up to date
openssl ⚠️	`^0.10.55`	`0.10.71`	maybe insecure
tokio-openssl	`^0.6`	`0.6.5`	up to date
rustls-pki-types	`^1`	`1.11.0`	up to date
tokio-rustls	`^0.26`	`0.26.2`	up to date
webpki-roots	`^0.26`	`0.26.8`	up to date
rustls-native-certs	`^0.7`	`0.8.1`	out of date
tokio-native-tls	`^0.3`	`0.3.1`	up to date

Crate	Required	Latest	Status
actix-codec	`^0.5`	`0.5.2`	up to date
actix-rt	`^2.2`	`2.10.0`	up to date
actix-server	`^2`	`2.5.0`	up to date
bytes	`^1`	`1.10.0`	up to date
futures-util	`^0.3.17`	`0.3.31`	up to date
itertools	`^0.14`	`0.14.0`	up to date
pretty_env_logger	`^0.5`	`0.5.0`	up to date
rcgen	`^0.13`	`0.13.2`	up to date
rustls-pemfile	`^2`	`2.2.0`	up to date
tokio-rustls	`^0.26`	`0.26.2`	up to date
trust-dns-resolver	`^0.23`	`0.23.2`	up to date

Crate	Required	Latest	Status
actix-service	`^2`	`2.0.2`	up to date
actix-utils	`^3`	`3.0.1`	up to date
tracing	`^0.1.35`	`0.1.41`	up to date
tracing-futures	`^0.2`	`0.2.5`	up to date

Crate	Required	Latest	Status
actix-rt	`^2`	`2.10.0`	up to date
slab	`^0.4`	`0.4.9`	up to date

Crate	Required	Latest	Status
local-waker	`^0.1`	`0.1.4`	up to date
pin-project-lite	`^0.2`	`0.2.16`	up to date

Crate	Required	Latest	Status
actix-rt	`^2`	`2.10.0`	up to date
futures-util	`^0.3.17`	`0.3.31`	up to date
static_assertions	`^1.1`	`1.1.0`	up to date

Crate	Required	Latest	Status
bytes	`^1.2`	`1.10.0`	up to date
serde	`^1`	`1.0.218`	up to date

Crate	Required	Latest	Status
ahash	`^0.8`	`0.8.11`	up to date
serde_json	`^1`	`1.0.139`	up to date
static_assertions	`^1.1`	`1.1.0`	up to date

Crate	Required	Latest	Status
futures-core	`^0.3.17`	`0.3.31`	up to date
futures-sink	`^0.3.17`	`0.3.31`	up to date
local-waker	`^0.1`	`0.1.4`	up to date

Crate	Required	Latest	Status
futures-util	`^0.3.17`	`0.3.31`	up to date
tokio	`^1.23.1`	`1.43.0`	up to date

In openssl versions before 0.10.70, ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Deps.rs

actix / actix-net

Crate `actix-codec`

Dependencies

Dev dependencies

Crate `actix-macros`

Dependencies

Dev dependencies

Crate `actix-rt`

Dependencies

Dev dependencies

Crate `actix-server`

Dependencies

Dev dependencies

Crate `actix-service`

Dependencies

Dev dependencies

Crate `actix-tls`

Dependencies

Dev dependencies

Crate `actix-tracing`

Dependencies

Dev dependencies

Crate `actix-utils`

Dependencies

Dev dependencies

Crate `bytestring`

Dependencies

Dev dependencies

Crate `local-channel`

Dependencies

Dev dependencies

Crate `local-waker`

Security Vulnerabilities

`openssl`: ssl::select_next_proto use after free

actix / actix-net

Crate actix-codec

Dependencies

Dev dependencies

Crate actix-macros

Dependencies

Dev dependencies

Crate actix-rt

Dependencies

Dev dependencies

Crate actix-server

Dependencies

Dev dependencies

Crate actix-service

Dependencies

Dev dependencies

Crate actix-tls

Dependencies

Dev dependencies

Crate actix-tracing

Dependencies

Dev dependencies

Crate actix-utils

Dependencies

Dev dependencies

Crate bytestring

Dependencies

Dev dependencies

Crate local-channel

Dependencies

Dev dependencies

Crate local-waker

Security Vulnerabilities

openssl: ssl::select_next_proto use after free

Crate `actix-codec`

Crate `actix-macros`

Crate `actix-rt`

Crate `actix-server`

Crate `actix-service`

Crate `actix-tls`

Crate `actix-tracing`

Crate `actix-utils`

Crate `bytestring`

Crate `local-channel`

Crate `local-waker`

`openssl`: ssl::select_next_proto use after free