This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate gotham

Dependencies

(26 total, all up-to-date)

CrateRequiredLatestStatus
 log^0.40.4.14up to date
 hyper^0.14.30.14.7up to date
 serde^1.01.0.125up to date
 serde_derive^1.01.0.125up to date
 bincode^1.01.3.3up to date
 mime^0.3.150.3.16up to date
 mime_guess^2.0.12.0.3up to date
 futures^0.3.10.3.14up to date
 tokio^1.01.5.0up to date
 bytes^1.01.0.1up to date
 percent-encoding^2.12.1.0up to date
 pin-project^1.0.01.0.7up to date
 uuid^0.80.8.2up to date
 chrono^0.40.4.19up to date
 base64^0.130.13.0up to date
 rand^0.80.8.3up to date
 rand_chacha^0.30.3.0up to date
 linked-hash-map^0.5.30.5.4up to date
 num_cpus^1.81.13.0up to date
 regex^1.01.5.3up to date
 cookie^0.150.15.0up to date
 http^0.20.2.4up to date
 httpdate^1.01.0.0up to date
 itertools^0.10.00.10.0up to date
 anyhow^1.01.0.40up to date
 tokio-rustls^0.220.22.0up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 thiserror^1.01.0.24up to date

Crate gotham_derive

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 syn^1.01.0.72up to date
 quote^1.01.0.9up to date

Crate borrow-bag

No external dependencies! 🙌

Crate middleware-template

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 log^0.40.4.14up to date
 futures^0.3.10.3.14up to date

Crate gotham_middleware_diesel

Dependencies

(5 total, 1 insecure)

CrateRequiredLatestStatus
 futures^0.3.10.3.14up to date
 diesel^1.41.4.6insecure
 r2d2^0.80.8.9up to date
 tokio^1.01.5.0up to date
 log^0.40.4.14up to date

Dev dependencies

(2 total, 1 insecure)

CrateRequiredLatestStatus
 diesel^11.4.6insecure
 mime^0.3.150.3.16up to date

Crate gotham_middleware_jwt

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.3.10.3.14up to date
 serde^1.01.0.125up to date
 serde_derive^1.01.0.125up to date
 jsonwebtoken^7.07.2.0up to date
 log^0.40.4.14up to date

Crate gotham_examples_hello_world

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_hello_world_tls

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_hello_world_until

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.3.10.3.14up to date
 tokio^1.01.5.0up to date
 mime^0.30.3.16up to date

Crate gotham_examples_shared_state

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_templating_tera

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 tera^1.51.8.0up to date
 lazy_static^1.01.4.0up to date

Crate gotham_examples_templating_askama

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 askama^0.10.30.10.5up to date
 mime^0.3.120.3.16up to date

Crate gotham_examples_routing_introduction

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_routing_http_verbs

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_routing_scopes

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_routing_associations

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_path_introduction

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 serde^11.0.125up to date
 serde_derive^11.0.125up to date

Crate gotham_examples_path_globs

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 serde^11.0.125up to date
 serde_derive^11.0.125up to date

Crate gotham_examples_path_regex

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 serde^11.0.125up to date
 serde_derive^11.0.125up to date

Crate gotham_examples_query_string_introduction

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 serde^11.0.125up to date
 serde_derive^11.0.125up to date
 serde_json^11.0.64up to date

Crate gotham_examples_cookies_introduction

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 cookie^0.150.15.0up to date

Crate gotham_examples_session_introduction

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 cookie^0.150.15.0up to date

Crate gotham_examples_session_custom_data_type

Dependencies

(5 total, 1 insecure)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 serde^11.0.125up to date
 serde_derive^11.0.125up to date
 time^0.20.2.26insecure
 cookie^0.150.15.0up to date

Crate gotham_examples_headers_setting

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_middleware_introduction

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.3.10.3.14up to date
 mime^0.30.3.16up to date

Crate gotham_examples_middleware_multiple_pipelines

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.3.10.3.14up to date
 mime^0.30.3.16up to date
 serde^1.01.0.125up to date
 serde_derive^1.01.0.125up to date

Crate gotham_examples_into_response_introduction

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 serde^11.0.125up to date
 serde_derive^11.0.125up to date
 serde_json^11.0.64up to date

Crate gotham_examples_handlers_request_data

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 futures^0.3.10.3.14up to date

Crate gotham_examples_handlers_stateful

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.3.10.3.14up to date
 mime^0.30.3.16up to date

Crate gotham_examples_handlers_simple_async_handlers

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 futures^0.3.10.3.14up to date
 serde^1.01.0.125up to date
 serde_derive^1.01.0.125up to date
 tokio^1.01.5.0up to date

Crate gotham_examples_handlers_simple_async_handlers_await

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 futures^0.3.10.3.14up to date
 serde^1.01.0.125up to date
 serde_derive^1.01.0.125up to date
 tokio^1.01.5.0up to date

Crate gotham_examples_handlers_async_handlers

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 futures^0.3.10.3.14up to date
 serde^11.0.125up to date
 serde_derive^11.0.125up to date

Crate gotham_examples_handlers_form_urlencoded

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 futures^0.3.10.3.14up to date
 url^2.12.2.1up to date

Crate gotham_examples_handlers_multipart

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date
 futures^0.3.10.3.14up to date
 multipart^0.170.17.1up to date

Crate gotham_examples_static_assets_introduction

No external dependencies! 🙌

Crate gotham_diesel_example

Dependencies

(10 total, 1 insecure)

CrateRequiredLatestStatus
 futures^0.3.10.3.14up to date
 mime^0.30.3.16up to date
 log^0.40.4.14up to date
 diesel^1.41.4.6insecure
 diesel_migrations^1.41.4.0up to date
 r2d2^0.80.8.9up to date
 r2d2-diesel^1.01.0.0up to date
 serde^1.01.0.125up to date
 serde_json^1.01.0.64up to date
 serde_derive^1.01.0.125up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 diesel_migrations^1.4.01.4.0up to date
 tokio^1.01.5.0up to date

Crate gotham_examples_functionality_name

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate websocket

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.3.10.3.14up to date
 tokio-tungstenite^0.140.14.0up to date
 tokio^1.01.5.0up to date
 pretty_env_logger^0.40.4.0up to date
 sha1^0.60.6.0up to date
 base64^0.130.13.0up to date

Crate gotham_examples_finalizer

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mime^0.30.3.16up to date

Crate gotham_examples_custom_service

Dependencies

(5 total, 1 insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.40up to date
 futures^0.30.3.14up to date
 http^0.20.2.4up to date
 hyper^0.140.14.7insecure
 tokio^1.01.5.0up to date

Security Vulnerabilities

time: Potential segfault in the time crate

RUSTSEC-2020-0071

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions.

The affected functions are:

  • time::UtcOffset::local_offset_at
  • time::UtcOffset::try_local_offset_at
  • time::UtcOffset::current_local_offset
  • time::UtcOffset::try_current_local_offset
  • time::OffsetDateTime::now_local
  • time::OffsetDateTime::try_now_local

Non-Unix targets are unaffected. This includes Windows and wasm.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in a the updated, unaffected code.

Workarounds

No workarounds are known.

References

#293

hyper: Multiple Transfer-Encoding headers misinterprets request payload

RUSTSEC-2021-0020

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".

diesel: Fix a use-after-free bug in diesels Sqlite backend

RUSTSEC-2021-0037

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.