This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate clickhouse-rs

Dependencies

(27 total, 5 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 byteorder^1.41.5.0up to date
 chrono-tz^0.80.10.0out of date
 crossbeam^0.80.8.4up to date
 thiserror^1.02.0.7out of date
 futures-core^0.30.3.31up to date
 futures-sink^0.30.3.31up to date
 hostname^0.30.4.0out of date
 lazy_static^1.4.01.5.0up to date
 lz4^1.241.28.0up to date
 pin-project^1.11.1.7up to date
 url^22.5.4up to date
 uuid^1.41.11.0up to date
 combine^4.64.6.7up to date
 percent-encoding^2.32.3.1up to date
 either^1.61.13.0up to date
 cfg-if^1.0.01.0.0up to date
 futures-util^0.30.3.31up to date
 tokio^1.321.42.0up to date
 async-std^1.61.13.0up to date
 log^0.4.80.4.22up to date
 native-tls^0.20.2.12up to date
 tokio-native-tls^0.30.3.1up to date
 rustls ⚠️^0.22.10.23.20out of date
 rustls-pemfile^2.02.2.0up to date
 tokio-rustls^0.25.00.26.1out of date
 webpki-roots*0.26.7up to date
 chrono ⚠️^0.40.4.39maybe insecure

Dev dependencies

(4 total, 1 outdated)

CrateRequiredLatestStatus
 env_logger^0.100.11.5out of date
 pretty_assertions^1.3.01.4.1up to date
 rand^0.80.8.5up to date
 tokio^1.321.42.0up to date

Crate clickhouse-rs-cityhash-sys

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 cc^1.0.281.2.4up to date

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

rustls: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

RUSTSEC-2024-0336

If a close_notify alert is received during a handshake, complete_io does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io and are not affected.

rustls::Stream and rustls::StreamOwned types use complete_io and are affected.