Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): Update openssl to 0.10.55 for RUSTSEC-2023-0044 fix #5027

Closed
wants to merge 1 commit into from

Conversation

rhysd
Copy link
Contributor

@rhysd rhysd commented Jul 20, 2023

This PR fixes the vulnerability RUSTSEC-2023-0044 in openssl crate.

This is the report from cargo audit:

Crate:         openssl
Version:       0.10.52
Title:         `openssl` `X509VerifyParamRef::set_host` buffer over-read
Date:          2023-06-20
ID:            RUSTSEC-2023-0044
URL:           https://rustsec.org/advisories/RUSTSEC-2023-0044
Solution:      Upgrade to >=0.10.55
Dependency tree:
openssl 0.10.52
└── native-tls 0.2.11
    ├── ureq 2.6.2
    │   └── nu-command 0.78.0
    │       ├── nu-cli 0.78.0
    │       │   └── clap_complete_nushell 4.3.1
    │       └── clap_complete_nushell 4.3.1
    └── nu-command 0.78.0

for fixing vulnerability RUSTSEC-2023-0044 in openssl crate

https://rustsec.org/advisories/RUSTSEC-2023-0044
@epage
Copy link
Member

epage commented Jul 20, 2023

@rhysd I'm curious why this vulnerability mattered. The lock file should only affect clap and clap isn't distributed in a way where vulnerabilities matter.

@rhysd
Copy link
Contributor Author

rhysd commented Jul 21, 2023

@epage While I was reading sources of clap_complete_nushell to integrate it to my tool, my text editor warned the vuln. Yes, this change doesn't affect users, but I thought security of development environment. If it doesn't matter for you, please feel free to close this PR without merge.

@epage epage closed this Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants