This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate raider-server

Dependencies

(27 total, 10 outdated, 3 insecure)

CrateRequiredLatestStatus
 log^0.30.4.14out of date
 clap^2.292.33.3up to date
 lazy_static^1.31.4.0up to date
 sha2^0.70.9.5out of date
 time^0.10.2.27out of date
 rand^0.40.8.4out of date
 serde^1.01.0.126up to date
 serde_derive^1.01.0.126up to date
 toml^0.40.5.8out of date
 base64^0.60.13.0out of date
 validate^0.60.6.1up to date
 url_serde^0.20.2.0up to date
 chrono^0.40.4.19up to date
 native-tls^0.20.2.7up to date
 openssl-probe^0.10.1.4up to date
 lettre^0.90.9.6insecure
 lettre_email^0.90.9.4up to date
 rocket^0.40.4.10insecure
 rocket_contrib^0.40.4.10up to date
 diesel^1.11.4.7insecure
 r2d2^0.80.8.9up to date
 r2d2-diesel^1.01.0.0up to date
 reqwest^0.100.11.3out of date
 bigdecimal^0.10.2.0out of date
 num-traits^0.10.2.14out of date
 separator^0.30.4.1out of date
 iso_country^0.10.1.4up to date

Security Vulnerabilities

diesel: Fix a use-after-free bug in diesels Sqlite backend

RUSTSEC-2021-0037

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.

rocket: Use after free possible in `uri::Formatter` on panic

RUSTSEC-2021-0044

Affected versions of this crate transmuted a &str to a &'static str before pushing it into a StackVec, this value was then popped later in the same function.

This was assumed to be safe because the reference would be valid while the method's stack was active. In between the push and the pop, however, a function f was called that could invoke a user provided function.

If the user provided panicked, then the assumption used by the function was no longer true and the transmute to &'static would create an illegal static reference to the string. This could result in a freed string being used during (such as in a Drop implementation) or after (e.g through catch_unwind) the panic unwinding.

This flaw was corrected in commit e325e2f by using a guard object to ensure that the &'static str was dropped inside the function.

lettre: SMTP command injection in body

RUSTSEC-2021-0069

Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.

The flaw is fixed by correctly handling consecutive CRLF sequences.