unionlabs / union

Crate	Required	Latest	Status
cw-multi-test	`=2.4`	`3.0.1`	out of date

Crate	Required	Latest	Status
hex-literal	`^1.0`	`1.0.0`	up to date

Crate	Required	Latest	Status
cliclack	`^0.2.5`	`0.3.6`	out of date
console	`^0.15.11`	`0.16.1`	out of date

Crate	Required	Latest	Status
hex-literal	`^0.4.1`	`1.0.0`	out of date
serde_json	`^1.0.140`	`1.0.145`	up to date
serde_path_to_error	`^0.1.17`	`0.1.20`	up to date

Crate	Required	Latest	Status
num-rational	`^0.4.2`	`0.4.2`	up to date
num-traits	`^0.2.19`	`0.2.19`	up to date

Crate	Required	Latest	Status
tracing-subscriber	`^0.3.19`	`0.3.20`	up to date

Crate	Required	Latest	Status
ark-bls12-381	`^0.4`	`0.5.0`	out of date
ark-serialize	`^0.4.2`	`0.5.0`	out of date
substrate-bn	`^0.6`	`0.6.0`	up to date

Crate	Required	Latest	Status
ark-bn254	`^0.4`	`0.5.0`	out of date
ark-ff	`^0.4.2`	`0.5.0`	out of date

Crate	Required	Latest	Status
ark-bls12-377	`^0.4`	`0.5.0`	out of date
ark-bn254	`^0.4`	`0.5.0`	out of date
ark-ff	`^0.4`	`0.5.0`	out of date

Crate	Required	Latest	Status
futures-util	`^0.3.31`	`0.3.31`	up to date

Crate	Required	Latest	Status
trybuild	`^1.0.105`	`1.0.112`	up to date

Crate	Required	Latest	Status
serde_json	`^1.0.140`	`1.0.145`	up to date

Crate	Required	Latest	Status
serde_json	`^1.0.140`	`1.0.145`	up to date
tracing-subscriber	`^0.3.19`	`0.3.20`	up to date

Crate	Required	Latest	Status
derivative	`^2.2.0`	`2.2.0`	up to date
smallvec	`^1.15.0`	`1.15.1`	up to date

Crate	Required	Latest	Status
serde_yaml	`^0.9.34`	`0.9.34+deprecated`	up to date
snap	`^1.1.1`	`1.1.1`	up to date

Crate	Required	Latest	Status
serde_yaml	`^0.9.34`	`0.9.34+deprecated`	up to date
snap	`^1.1.1`	`1.1.1`	up to date

Crate	Required	Latest	Status
serde_bytes	`^0.11.17`	`0.11.19`	up to date

Crate	Required	Latest	Status
rand	`^0.8.5`	`0.9.2`	out of date

Crate	Required	Latest	Status
serde_bytes	`^0.11.17`	`0.11.19`	up to date
uint	`^0.9.5`	`0.10.0`	out of date

Crate	Required	Latest	Status
ark-ff	`^0.4.2`	`0.5.0`	out of date
byteorder	`^1.5`	`1.5.0`	up to date
substrate-bn	`^0.6`	`0.6.0`	up to date

Crate	Required	Latest	Status
substrate-bn	`^0.6`	`0.6.0`	up to date

Crate	Required	Latest	Status
hash-db	`^0.16.0`	`0.16.0`	up to date
hash256-std-hasher	`^0.15.2`	`0.15.2`	up to date
memory-db	`^0.32.0`	`0.34.0`	out of date
trie-db	`^0.28`	`0.30.0`	out of date

Crate	Required	Latest	Status
blst	`^0.3.14`	`0.3.16`	up to date

Crate	Required	Latest	Status
blake2	`^0.10.6`	`0.10.6`	up to date
roaring	`^0.10.12`	`0.11.2`	out of date
serde_repr	`^0.1.20`	`0.1.20`	up to date

Crate	Required	Latest	Status
num-rational	`^0.4.2`	`0.4.2`	up to date
rand_chacha	`^0.3.1`	`0.9.0`	out of date

Crate	Required	Latest	Status
lazy_static	`^1.5.0`	`1.5.0`	up to date

Crate	Required	Latest	Status
lazy_static	`^1.5.0`	`1.5.0`	up to date

Crate	Required	Latest	Status
ark-bls12-381	`^0.5.0`	`0.5.0`	up to date
ark-ec	`^0.5.0`	`0.5.0`	up to date
ark-serialize	`^0.5.0`	`0.5.0`	up to date

Crate	Required	Latest	Status
lazy_static	`^1.5.0`	`1.5.0`	up to date

Crate	Required	Latest	Status
lazy_static	`^1.5.0`	`1.5.0`	up to date

Crate	Required	Latest	Status
blake2	`^0.10.6`	`0.10.6`	up to date
serde_repr	`^0.1.20`	`0.1.20`	up to date

Crate	Required	Latest	Status
bip39	`^2.1.0`	`2.2.0`	up to date
ed25519-compact	`^2.1.1`	`2.1.1`	up to date
tiny-hderive	`^0.3.0`	`0.3.0`	up to date

Crate	Required	Latest	Status
cargo-util-schemas	`^0.1.0`	`0.10.0`	out of date
cargo_metadata	`^0.18.1`	`0.23.0`	out of date
regex	`^1.11.3`	`1.12.2`	up to date

Crate	Required	Latest	Status
fs_extra	`^1.3.0`	`1.3.0`	up to date

Crate	Required	Latest	Status
tempfile	`^3.20.0`	`3.23.0`	up to date
tracing-test	`^0.2.5`	`0.2.5`	up to date

Crate	Required	Latest	Status
pin-utils	`^0.1.0`	`0.1.0`	up to date
prometheus	`^0.13.4`	`0.14.0`	out of date
serde_jsonc	`^1.0.108`	`1.0.108`	up to date
tikv-jemallocator	`^0.5`	`0.6.1`	out of date
tracing-futures	`^0.2.5`	`0.2.5`	up to date

Crate	Required	Latest	Status
enumorph	`^0.1.2`	`0.1.2`	up to date

Crate	Required	Latest	Status
indexmap	`^2.9.0`	`2.12.0`	up to date

Crate	Required	Latest	Status
derive_builder	`^0.20.2`	`0.20.2`	up to date
indexmap	`^2.9.0`	`2.12.0`	up to date
jaq-core	`^2.2.0`	`2.2.1`	up to date
jaq-json	`^1.1.2`	`1.1.3`	up to date
jaq-std	`^2.1.1`	`2.1.2`	up to date
pin-utils	`^0.1.0`	`0.1.0`	up to date

Crate	Required	Latest	Status
regex	`^1.11.1`	`1.12.2`	up to date

Crate	Required	Latest	Status
crc	`^3.3.0`	`3.3.0`	up to date

Crate	Required	Latest	Status
async-graphql	`^7.0.17`	`7.0.17`	up to date
async-graphql-axum	`^7.0.17`	`7.0.17`	up to date
async-sqlite	`^0.2.2`	`0.5.3`	out of date

Crate	Required	Latest	Status
arc-swap	`^1.7.1`	`1.7.1`	up to date

Crate	Required	Latest	Status
postgrest	`^1.6`	`1.6.0`	up to date

Crate	Required	Latest	Status
async-sqlite	`^0.2.2`	`0.5.3`	out of date
crossterm	`^0.27.0`	`0.29.0`	out of date
futures-util	`^0.3`	`0.3.31`	up to date
http-body-util	`^0.1`	`0.1.3`	up to date
httpdate	`^1.0`	`1.0.3`	up to date
hyper	`^1`	`1.7.0`	up to date
hyper-util	`^0.1`	`0.1.17`	up to date
pgp	`^0.13`	`0.17.0`	out of date
ratatui	`^0.27.0`	`0.29.0`	out of date
throbber-widgets-tui	`^0.6`	`0.9.0`	out of date

Crate	Required	Latest	Status
pgp	`^0.13`	`0.17.0`	out of date

Crate	Required	Latest	Status
num-traits	`^0.2.19`	`0.2.19`	up to date

Crate	Required	Latest	Status
tuple_join	`^0.1.0`	`0.1.0`	up to date

Crate	Required	Latest	Status
cw2	`^2.0.0`	`3.0.0`	out of date
semver	`^1`	`1.0.27`	up to date

Crate	Required	Latest	Status
cw-multi-test	`=2.4.0`	`3.0.1`	out of date

The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.

This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the regex crate is used to parse untrusted regexes. Other uses of the regex crate are not affected by this vulnerability.

Overview

The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.

Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.

Affected versions

All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5.

Mitigations

We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the regex crate.

Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.

Acknowledgements

We want to thank Addison Crump for responsibly disclosing this to us according to the Rust security policy, and for helping review the fix.

We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.

Crate	Required	Latest	Status
bech32	`^0.11.0`	`0.11.0`	up to date
keccak-asm	`^0.1.4`	`0.1.4`	up to date
num_cpus	`^1.16`	`1.17.0`	up to date

Crate	Required	Latest	Status
bytemuck	`^1.23`	`1.24.0`	up to date
const-hex	`^1.14.1`	`1.17.0`	up to date

Crate	Required	Latest	Status
bytemuck	`^1.23.0`	`1.24.0`	up to date
elf	`^0.7.4`	`0.8.0`	out of date

Crate	Required	Latest	Status
paste	`^1.0`	`1.0.15`	up to date
wasmparser	`^0.113`	`0.240.0`	out of date

Crate	Required	Latest	Status
once_cell	`^1.17`	`1.21.3`	up to date
rand	`^0.6`	`0.9.2`	out of date
tokio ⚠️	`^1`	`1.48.0`	maybe insecure
tracing-subscriber	`^0.3`	`0.3.20`	up to date

unionlabs / union

Crate token-factory-api

Crate ucs03-zkgm

Dev dependencies

Crate ucs06-funded-dispatch

Crate multicall

Crate lst

Dev dependencies

Crate lst-staker

Crate ibc-union

Crate ibc-union-msg

Crate ibc-union-light-client

Crate devnet-compose

Dependencies

Crate ensure-blocks

Crate protos

Crate beacon-api

Crate cometbft-rpc

Dev dependencies

Crate cosmos-client

Dependencies

Crate cometbft-types

Crate concurrent-keyring

Dev dependencies

Crate gnark-key-parser

Dependencies

Dev dependencies

Crate gnark-mimc

Dependencies

Crate ics23

Crate linea-verifier

Crate linea-zktrie

Crate macros

Crate pg-queue

Dependencies

Crate subset-of-derive

Dev dependencies

Crate scroll-api

Dev dependencies

Crate scroll-codec

Crate scroll-rpc

Dev dependencies

Crate arbitrum-types

Crate arbitrum-client

Crate bob-types

Crate base-client

Crate bob-client

Crate serde-utils

Crate ssz

Dependencies

Dev dependencies

Crate ssz-tests-generator

Dependencies

Crate ssz-derive

Crate unionlabs

Dependencies

Dev dependencies

Crate unionlabs-primitives

Dependencies

Crate unionlabs-encoding

Crate galois-rpc

Crate cosmos-sdk-event

Crate frissitheto

Crate parlia-types

Crate ibc-solidity

Crate base-verifier

Crate bob-verifier

Crate arbitrum-verifier

Crate cometbls-groth16-verifier

Dependencies

Build dependencies

Crate ethereum-sync-protocol

Crate ethereum-sync-protocol-types

Crate evm-storage-verifier

Dependencies

Crate parlia-verifier

Dev dependencies

Crate tendermint-verifier

Crate base-light-client-types

Crate bob-light-client-types

Crate `token-factory-api`

Crate `ucs03-zkgm`

Crate `ucs06-funded-dispatch`

Crate `multicall`

Crate `lst`

Crate `lst-staker`

Crate `ibc-union`

Crate `ibc-union-msg`

Crate `ibc-union-light-client`

Crate `devnet-compose`

Crate `ensure-blocks`

Crate `protos`

Crate `beacon-api`

Crate `cometbft-rpc`

Crate `cosmos-client`

Crate `cometbft-types`

Crate `concurrent-keyring`

Crate `gnark-key-parser`

Crate `gnark-mimc`

Crate `ics23`

Crate `linea-verifier`

Crate `linea-zktrie`

Crate `macros`

Crate `pg-queue`

Crate `subset-of-derive`

Crate `scroll-api`

Crate `scroll-codec`

Crate `scroll-rpc`

Crate `arbitrum-types`

Crate `arbitrum-client`

Crate `bob-types`

Crate `base-client`

Crate `bob-client`

Crate `serde-utils`

Crate `ssz`

Crate `ssz-tests-generator`

Crate `ssz-derive`

Crate `unionlabs`

Crate `unionlabs-primitives`

Crate `unionlabs-encoding`

Crate `galois-rpc`

Crate `cosmos-sdk-event`

Crate `frissitheto`

Crate `parlia-types`

Crate `ibc-solidity`

Crate `base-verifier`

Crate `bob-verifier`

Crate `arbitrum-verifier`

Crate `cometbls-groth16-verifier`

Crate `ethereum-sync-protocol`

Crate `ethereum-sync-protocol-types`

Crate `evm-storage-verifier`

Crate `parlia-verifier`

Crate `tendermint-verifier`

Crate `base-light-client-types`

Crate `bob-light-client-types`

Crate `arbitrum-light-client-types`

Crate `berachain-light-client-types`

Crate `cometbls-light-client-types`

Crate `tendermint-light-client-types`

Crate `ethereum-light-client-types`

Crate `ethermint-light-client-types`

Crate `movement-light-client-types`

Crate `parlia-light-client-types`

Crate `trusted-mpt-light-client-types`

Crate `attested-light-client-types`

Crate `linea-light-client-types`

Crate `scroll-light-client-types`

Crate `state-lens-ics23-mpt-light-client-types`

Crate `state-lens-ics23-ics23-light-client-types`

Crate `state-lens-ics23-smt-light-client-types`

Crate `sui-light-client-types`

Crate `cosmwasm-deployer`

Crate `arbitrum-light-client`

Crate `base-light-client`

Crate `berachain-light-client`

Crate `bob-light-client`

Crate `cometbls-light-client`

Crate `ethereum-light-client`

Crate `ethermint-light-client`