This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
ontprox(23 total, 4 outdated, 1 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| axum | ^0.7 | 0.8.1 | out of date |
| axum-extra | ^0.9 | 0.10.0 | out of date |
| clap | ^4.5 | 4.5.29 | up to date |
| cli_utils_hoijui | ^0.9 | 0.9.2 | up to date |
| const_format | ^0.2 | 0.2.34 | up to date |
| dirs | ^5.0 | 6.0.0 | out of date |
| futures | ^0.3 | 0.3.31 | up to date |
| git-version | ^0.3 | 0.3.9 | up to date |
| mediatype | ^0.19 | 0.19.18 | up to date |
| once_cell | ^1.19 | 1.20.3 | up to date |
| openssl ⚠️ | =0.10.64 | 0.10.71 | out of date |
| rdfoothills-base | ^0.5 | 0.5.1 | up to date |
| rdfoothills-conversion | ^0.5 | 0.5.1 | up to date |
| rdfoothills-mime | ^0.5 | 0.5.1 | up to date |
| reqwest | ^0.12 | 0.12.12 | up to date |
| serde | ^1.0 | 1.0.217 | up to date |
| thiserror | ^2.0 | 2.0.11 | up to date |
| tokio | ^1.38 | 1.43.0 | up to date |
| tokio-util | ^0.7 | 0.7.13 | up to date |
| tower-http | ^0.6 | 0.6.2 | up to date |
| tracing | ^0.1 | 0.1.41 | up to date |
| tracing-subscriber | ^0.3 | 0.3.19 | up to date |
| url | ^2.5 | 2.5.4 | up to date |
openssl: `MemBio::get_buf` has undefined behavior with empty buffersPreviously, MemBio::get_buf called slice::from_raw_parts with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.
openssl: ssl::select_next_proto use after freeIn openssl versions before 0.10.70, ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.
openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.
In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:
Not vulnerable - the server buffer has a 'static lifetime:
builder.set_alpn_select_callback(|_, client_protos| {
ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});
Not vulnerable - the server buffer outlives the handshake:
let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});
Vulnerable - the server buffer is freed when the callback returns:
builder.set_alpn_select_callback(|_, client_protos| {
let server_protos = b"\x02h2".to_vec();
ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});