Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(cargo) Fix RUSTSEC-2021-0023. #2125

Merged
merged 3 commits into from
Feb 16, 2021
Merged

chore(cargo) Fix RUSTSEC-2021-0023. #2125

merged 3 commits into from
Feb 16, 2021

Conversation

Hywan
Copy link
Contributor

@Hywan Hywan commented Feb 16, 2021
edited
Loading

Description

This patch updates rand_core from 0.6.1 to 0.6.2 as a vulnerability
has been discovered. See https://rustsec.org/advisories/RUSTSEC-2021-0023.

This issue has been reported by our Audit workflow in the CI.

Review

  • Add a short description of the the change to the CHANGELOG.md file

@Hywan
chore(cargo) Fix RUSTSEC-2021-0023.
27bd85f 
This patch updates `radn_core` from 0.6.1 to 0.6.2 as a vulnerability
has been discovered. See https://rustsec.org/advisories/RUSTSEC-2021-0023.
@Hywan Hywan added the bug Something isn't working label Feb 16, 2021
@Hywan Hywan requested a review from jubianchi February 16, 2021 13:31
@Hywan Hywan self-assigned this Feb 16, 2021
@Hywan
Copy link
Contributor Author

Hywan commented Feb 16, 2021

bors try

bors bot added a commit that referenced this pull request Feb 16, 2021
@bors
Try #2125:
bb974b2
@bors
Copy link
Contributor

bors bot commented Feb 16, 2021

try

Build failed:

@Hywan Hywan mentioned this pull request Feb 16, 2021
Closed
MarkMcCaskey
MarkMcCaskey approved these changes Feb 16, 2021
View reviewed changes
Copy link
Contributor

@MarkMcCaskey MarkMcCaskey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! But I don't think we use seeded RNG anywhere so I don't think this bug affects us at all -- it's good to upgrade though!

CHANGELOG.md Outdated
@@ -14,6 +14,7 @@
- [#2113](https://github.com/wasmerio/wasmer/pull/2113) Bump minimum supported Rust version to 1.49

### Fixed
- [#2125](https://github.com/wasmerio/wasmer/pull/2125) Fix RUSTSEC-2021-0023; `rand_core`: incorrect check on buffer length when seeding RNGs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't affect us, might want to mention that in the changelog, or remove this from the changelog entirely.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can remove it from the changelog, yes.

Hywan
Hywan commented Feb 16, 2021
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@Hywan
Copy link
Contributor Author

Hywan commented Feb 16, 2021

We need to upgrade because our Audit workflow is failing due to that.

@MarkMcCaskey
Copy link
Contributor

We need to upgrade because our Audit workflow is failing due to that.

I think it's the right thing to do in any case! Even though we're not affected by that bug right now, we easily could decide that we want to use seeded RNG in the future, so it's best to make sure it works! Thanks for the PR!

@MarkMcCaskey
Copy link
Contributor

Merging manually because of multiple CI breakages: this change seems safe and will unblock part of CI

@MarkMcCaskey MarkMcCaskey merged commit f545b2e into wasmerio:master Feb 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarkMcCaskey MarkMcCaskey MarkMcCaskey approved these changes

@jubianchi jubianchi Awaiting requested review from jubianchi

Assignees

@Hywan Hywan

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Hywan @MarkMcCaskey