cube-js / rust-rocksdb

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `rocksdb`

Dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
libc	`^0.2`	`0.2.154`	up to date
serde	`^1`	`1.0.200`	up to date

Dev dependencies

(5 total, all up-to-date)

Crate	Required	Latest	Status
trybuild	`^1.0`	`1.0.92`	up to date
tempfile	`^3.1`	`3.10.1`	up to date
pretty_assertions	`^1.0`	`1.4.0`	up to date
bincode	`^1.3`	`1.3.3`	up to date
serde	`^1`	`1.0.200`	up to date

Crate `librocksdb-sys`

Dependencies

(6 total, 1 possibly insecure)

Crate	Required	Latest	Status
libc	`^0.2`	`0.2.154`	up to date
tikv-jemalloc-sys	`^0.5`	`0.5.4+5.3.0-patched`	up to date
lz4-sys ⚠️	`^1.9`	`1.9.4`	maybe insecure
zstd-sys	`^2.0`	`2.0.10+zstd.1.5.6`	up to date
libz-sys	`^1.1`	`1.1.16`	up to date
bzip2-sys	`^0.1`	`0.1.11+1.0.8`	up to date

Dev dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
const-cstr	`^0.3`	`0.3.0`	up to date
uuid	`^1.0`	`1.8.0`	up to date

Build dependencies

(4 total, 1 outdated)

Crate	Required	Latest	Status
cc	`^1.0`	`1.0.96`	up to date
bindgen	`^0.64`	`0.69.4`	out of date
glob	`^0.3`	`0.3.1`	up to date
pkg-config	`^0.3`	`0.3.30`	up to date

Security Vulnerabilities

`lz4-sys`: Memory corruption in liblz4

RUSTSEC-2022-0051

lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to CVE-2021-3520.

Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write.

The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4.

cube-js / rust-rocksdb

Crate rocksdb

Dependencies

Dev dependencies

Crate librocksdb-sys

Dependencies

Dev dependencies

Build dependencies

Security Vulnerabilities

lz4-sys: Memory corruption in liblz4

Crate `rocksdb`

Crate `librocksdb-sys`

`lz4-sys`: Memory corruption in liblz4