This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate raider-server


(27 total, 10 outdated, 3 insecure)

 log^ of date
 clap^ to date
 lazy_static^ to date
 sha2^ of date
 time^ of date
 rand^ of date
 serde^ to date
 serde_derive^ to date
 toml^ of date
 base64^ of date
 validate^ to date
 url_serde^ to date
 chrono^ to date
 native-tls^ to date
 openssl-probe^ to date
 lettre_email^ to date
 rocket_contrib^ to date
 r2d2^ to date
 r2d2-diesel^ to date
 reqwest^ of date
 bigdecimal^ of date
 num-traits^ of date
 separator^ of date
 iso_country^ to date

Security Vulnerabilities

diesel: Fix a use-after-free bug in diesels Sqlite backend


We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.

rocket: Use after free possible in `uri::Formatter` on panic


Affected versions of this crate transmuted a &str to a &'static str before pushing it into a StackVec, this value was then popped later in the same function.

This was assumed to be safe because the reference would be valid while the method's stack was active. In between the push and the pop, however, a function f was called that could invoke a user provided function.

If the user provided panicked, then the assumption used by the function was no longer true and the transmute to &'static would create an illegal static reference to the string. This could result in a freed string being used during (such as in a Drop implementation) or after (e.g through catch_unwind) the panic unwinding.

This flaw was corrected in commit e325e2f by using a guard object to ensure that the &'static str was dropped inside the function.

lettre: SMTP command injection in body


Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.

The flaw is fixed by correctly handling consecutive CRLF sequences.