This project might be open to known security vulnerabilities , which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom .
Crate lurk
Dependencies (33 total, 2 outdated)
Dev dependencies (9 total, all up-to-date)
Build dependencies (1 total, 1 outdated)
Crate Required Latest Status vergen ^8
9.0.1
out of date
Crate lurk-macros
Dependencies (3 total, 1 outdated)
Crate Required Latest Status proc-macro2 ^1.0.66
1.0.89
up to date quote ^1.0.31
1.0.37
up to date syn ^1.0.109
2.0.87
out of date
Crate lurk-metrics
Dependencies (1 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status regex ^1.9.4
1.11.1
up to date tracing-test ^0.2
0.2.5
up to date
Crate foil
Dependencies (2 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate chain-server
Dependencies (5 total, 2 outdated, 2 possibly insecure)
Build dependencies (1 total, all up-to-date)
Crate Required Latest Status tonic-build ^0.12
0.12.3
up to date
Security Vulnerabilities tokio
: reject_remote_clients Configuration corruptionRUSTSEC-2023-0001
On Windows, configuring a named pipe server with pipe_mode will force ServerOptions ::reject_remote_clients as false
.
This drops any intended explicit configuration for the reject_remote_clients that may have been set as true
previously.
The default setting of reject_remote_clients is normally true
meaning the default is also overridden as false
.
Workarounds
Ensure that pipe_mode is set first after initializing a ServerOptions . For example:
let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);
Patched
>=1.18.4, <1.19.0
>=1.20.3, <1.21.0
>=1.23.1
tonic
: Remotely exploitable Denial of Service in TonicRUSTSEC-2024-0376
Impact
When using tonic::transport::Server
there is a remote DoS attack that can cause the server to exit cleanly on accepting a tcp/tls stream. This can be triggered via causing the accept call to error out with errors there were not covered correctly causing the accept loop to exit.
More information can be found here
Patches
Upgrading to tonic 0.12.3
and above contains the fix.
Workarounds
A custom accept loop is a possible workaround.