Deps.rs

mikelodder7 / unknown_order

[![dependency status](https://deps.rs/repo/github/mikelodder7/unknown_order/status.svg)](https://deps.rs/repo/github/mikelodder7/unknown_order)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate unknown_order

Dependencies

(18 total, 4 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 crypto-bigint^0.50.6.1out of date
 crypto-primes^0.50.6.2out of date
 digest^0.100.10.7up to date
 getrandom^0.20.3.1out of date
 glass_pumpkin^1.71.7.0up to date
 hex^0.40.4.3up to date
 multibase^0.90.9.1up to date
 num-bigint^0.40.4.6up to date
 num-integer^0.10.1.46up to date
 num-traits^0.20.2.19up to date
 openssl ⚠️^0.10.640.10.71maybe insecure
 rand^0.80.9.0out of date
 rug^1.241.27.0up to date
 serde^1.01.0.219up to date
 subtle^2.52.6.1up to date
 wasm-bindgen^0.20.2.100up to date
 zeroize^11.8.1up to date
 serde-wasm-bindgen^0.60.6.5up to date

Dev dependencies

(4 total, 1 outdated)

CrateRequiredLatestStatus
 blake2^0.100.10.6up to date
 multibase^0.90.9.1up to date
 serde_json^1.01.0.140up to date
 bincode^1.32.0.1out of date

Security Vulnerabilities

openssl: ssl::select_next_proto use after free

RUSTSEC-2025-0004

In openssl versions before 0.10.70, ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});