This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
ontprox(22 total, 2 outdated, 1 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| axum | ^0.8 | 0.8.4 | up to date |
| axum-extra | ^0.10 | 0.10.1 | up to date |
| clap | ^4.5 | 4.5.40 | up to date |
| cli_utils_hoijui | ^0.10 | 0.10.0 | up to date |
| const_format | ^0.2 | 0.2.34 | up to date |
| dirs | ^6.0 | 6.0.0 | up to date |
| futures | ^0.3 | 0.3.31 | up to date |
| git-version | ^0.3 | 0.3.9 | up to date |
| mediatype | ^0.19 | 0.20.0 | out of date |
| openssl ⚠️ | =0.10.64 | 0.10.73 | out of date |
| rdfoothills-base | ^0.6 | 0.6.0 | up to date |
| rdfoothills-conversion | ^0.6 | 0.6.0 | up to date |
| rdfoothills-mime | ^0.6 | 0.6.0 | up to date |
| reqwest | ^0.12 | 0.12.22 | up to date |
| serde | ^1.0 | 1.0.219 | up to date |
| thiserror | ^2.0 | 2.0.12 | up to date |
| tokio | ^1.45 | 1.46.1 | up to date |
| tokio-util | ^0.7 | 0.7.15 | up to date |
| tower-http | ^0.6 | 0.6.6 | up to date |
| tracing | ^0.1 | 0.1.41 | up to date |
| tracing-subscriber | ^0.3 | 0.3.19 | up to date |
| url | ^2.5 | 2.5.4 | up to date |
openssl: `MemBio::get_buf` has undefined behavior with empty buffersPreviously, MemBio::get_buf called slice::from_raw_parts with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.
openssl: ssl::select_next_proto use after freeIn openssl versions before 0.10.70, ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.
openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.
In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:
Not vulnerable - the server buffer has a 'static lifetime:
builder.set_alpn_select_callback(|_, client_protos| {
ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});
Not vulnerable - the server buffer outlives the handshake:
let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});
Vulnerable - the server buffer is freed when the callback returns:
builder.set_alpn_select_callback(|_, client_protos| {
let server_protos = b"\x02h2".to_vec();
ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});
openssl: Use-After-Free in `Md::fetch` and `Cipher::fetch`When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.
In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).
The maintainers thank quitbug for reporting this vulnerability to us.