Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: security audits #232

Merged
merged 3 commits into from
Nov 30, 2023
Merged

fix: security audits #232

merged 3 commits into from
Nov 30, 2023

Conversation

chris13524
Copy link
Member

@chris13524 chris13524 commented Nov 30, 2023
edited
Loading

Description

Fixes cargo audit. Only remaining issue is openssl but there is no fix version:

Crate:     rsa
Version:   0.9.3
Title:     Marvin Attack: potential key recovery through timing sidechannels
Date:      2023-11-22
ID:        RUSTSEC-2023-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0071
Severity:  7.4 (high)
Solution:  No fixed upgrade is available!
Dependency tree:
rsa 0.9.3
└── sqlx-mysql 0.7.2
    ├── sqlx-macros-core 0.7.2
    │   └── sqlx-macros 0.7.2
    │       └── sqlx 0.7.2
    │           └── notify-server 0.13.9
    └── sqlx 0.7.2

error: 1 vulnerability found!

Work performed:

  • Switch dotenv with unmaintained warning to dotenvy
  • Remove atty with security warning, not used
  • Remove unused async-tungstenite; version needed to be bumped alongside tungstenite
  • cargo update openssl crc-catalog wasm-bindgen

Remaining work:

How Has This Been Tested?

Automated tests

Due Diligence

  • Breaking change
  • Requires a documentation update
  • Requires a e2e/integration test update

@chris13524 chris13524 self-assigned this Nov 30, 2023
@chris13524 chris13524 mentioned this pull request Nov 30, 2023
Merged
3 tasks
geekbrother
geekbrother approved these changes Nov 30, 2023
View reviewed changes
Copy link
Contributor

@geekbrother geekbrother left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@chris13524 chris13524 merged commit 9dbea48 into main Nov 30, 2023
11 checks passed
@chris13524 chris13524 deleted the fix/audits branch November 30, 2023 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geekbrother geekbrother geekbrother approved these changes

@xav xav Awaiting requested review from xav

Assignees

@chris13524 chris13524

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chris13524 @geekbrother