Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rustls-ffi version to fix vulnerability #558

Closed
wants to merge 1 commit into from
Closed

Update rustls-ffi version to fix vulnerability #558

wants to merge 1 commit into from

Conversation

GreeFine
Copy link

@GreeFine GreeFine commented Apr 23, 2024
edited
Loading

When auditing my crate, I found out that this package needed an update.

Crate: rustls
Version: 0.20.9
Title: rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input
Date: 2024-04-19
ID: RUSTSEC-2024-0336
URL: https://rustsec.org/advisories/RUSTSEC-2024-0336
Severity: 7.5 (high)
Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0
Dependency tree:
rustls 0.20.9
└── rustls-ffi 0.8.2
. └── curl-sys 0.4.72+curl-8.6.0
. . └── curl 0.4.46
. . . └── faker 0.1.0

I updated rustls-ffi to the latest version, and it seems to work with no additional changes.

What I did to test:

  • cargo clean
  • cargo build --release
  • cargo build --release -F rustls
  • cargo test --release
  • cargo test --release -F rustls

@ehuss
Copy link
Collaborator

ehuss commented Aug 11, 2024

I'm going to close as fixed by #562. Thanks!

@ehuss ehuss closed this Aug 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GreeFine @ehuss