Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update actions/checkout action to v4 #376

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

chore(deps): update actions/checkout action to v4

a713474
Select commit
Loading
Failed to load commit list.
Sign in for the full log view
Open

chore(deps): update actions/checkout action to v4 #376

chore(deps): update actions/checkout action to v4
a713474
Select commit
Loading
Failed to load commit list.
GitHub Actions / Security audit failed Apr 11, 2024 in 0s

Security advisories found

3 advisory(ies)

Details

Vulnerabilities

RUSTSEC-2024-0013

Memory corruption, denial of service, and arbitrary code execution in libgit2

Details
Package libgit2-sys
Version 0.15.2+1.6.4
URL rust-lang/git2-rs#1017
Date 2024-02-06
Patched versions >=0.16.2

The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:

  • The git_revparse_single function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the Repository::revparse_single method.
  • The git_index_add function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2 crate via the Index::add method.
  • The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2-sys crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.

It is recommended that all users upgrade.

RUSTSEC-2023-0071

Marvin Attack: potential key recovery through timing sidechannels

Details
Package rsa
Version 0.7.2
URL RustCrypto/RSA#19 (comment)
Date 2023-11-22

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

RUSTSEC-2023-0065

Tungstenite allows remote attackers to cause a denial of service

Details
Package tungstenite
Version 0.17.3
URL snapview/tungstenite-rs#376
Date 2023-09-25
Patched versions >=0.20.1

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause
a denial of service (minutes of CPU consumption) via an excessive length of an
HTTP header in a client handshake. The length affects both how many times a parse
is attempted (e.g., thousands of times) and the average amount of data for each
parse attempt (e.g., millions of bytes).