This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate nexus-actor-utils-rs

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tokio-condvar^0.3.00.3.0up to date

Crate nexus-actor-core-rs

Dependencies

(33 total, 5 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 async-trait^0.1.800.1.83up to date
 backtrace^0.30.3.74up to date
 base64-string-rs^0.0.10.0.1up to date
 chrono ⚠️^0.40.4.38maybe insecure
 im^15.0.015.1.0up to date
 num_enum^0.7.20.7.3up to date
 once_cell^1.19.01.20.2up to date
 oni-comb-uri-rs^0.2.10.2.614up to date
 opentelemetry^0.25.00.27.0out of date
 opentelemetry-otlp^0.25.00.27.0out of date
 opentelemetry-stdout^0.25.00.27.0out of date
 opentelemetry_sdk^0.25.00.27.0out of date
 prost^0.13.00.13.3up to date
 prost-types^0.130.13.3up to date
 rand^0.9.0-alpha.20.8.5up to date
 regex^1.10.61.11.1up to date
 serde^1.01.0.215up to date
 serde_json^1.01.0.133up to date
 siphasher^1.0.11.0.1up to date
 static_assertions^1.1.01.1.0up to date
 strum^0.260.26.3up to date
 strum_macros^0.260.26.4up to date
 thiserror^1.0.612.0.3out of date
 time^0.3.360.3.36up to date
 tokio^1.37.01.41.1up to date
 tokio-condvar^0.3.00.3.0up to date
 tonic ⚠️^0.12.20.12.3maybe insecure
 tonic-types^0.12.20.12.3up to date
 tracing^0.10.1.40up to date
 tracing-futures^0.2.50.2.5up to date
 tracing-opentelemetry^0.28.00.28.0up to date
 tracing-subscriber^0.30.3.18up to date
 uuid^1.9.01.11.0up to date

Dev dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 clap^4.5.94.5.21up to date
 governor^0.7.00.7.0up to date
 humantime^2.12.1.0up to date
 rstest^0.23.00.23.0up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tonic-build^0.12.20.12.3up to date

Crate nexus-actor-message-derive-rs

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 proc-macro2^1.0.361.0.92up to date
 quote^1.0.361.0.37up to date
 syn^2.0.742.0.89up to date

Crate nexus-actor-remote-rs

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tracing-subscriber^0.30.3.18up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tonic-build^0.12.20.12.3up to date

Crate nexus-actor-cluster-rs

Dependencies

(9 total, 1 outdated)

CrateRequiredLatestStatus
 num_enum^0.7.20.7.3up to date
 once_cell^1.19.01.20.2up to date
 prost^0.13.00.13.3up to date
 prost-types^0.130.13.3up to date
 thiserror^1.0.612.0.3out of date
 tokio^1.37.01.41.1up to date
 tonic^0.12.30.12.3up to date
 tonic-types^0.12.30.12.3up to date
 tracing^0.10.1.40up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tracing-subscriber^0.30.3.18up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tonic-build^0.12.20.12.3up to date

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

tonic: Remotely exploitable Denial of Service in Tonic

RUSTSEC-2024-0376

Impact

When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a tcp/tls stream. This can be triggered via causing the accept call to error out with errors there were not covered correctly causing the accept loop to exit.

More information can be found here

Patches

Upgrading to tonic 0.12.3 and above contains the fix.

Workarounds

A custom accept loop is a possible workaround.