Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-32714 CVE-2021-32715 vulnerability in hyper (transitive via surf) #95

Closed
tumbl3w33d opened this issue Aug 9, 2021 · 3 comments
Closed

CVE-2021-32714 CVE-2021-32715 vulnerability in hyper (transitive via surf) #95

tumbl3w33d opened this issue Aug 9, 2021 · 3 comments

Comments

@tumbl3w33d
Copy link

This crate uses a hyper version (transitive via surf) that has vulnerabilities.

hyper v0.13.10
├── http-client v6.4.1
│   └── surf v2.2.0
│       └── influxdb v0.4.0
@msrd0
Copy link
Collaborator

msrd0 commented Oct 4, 2021

Thanks for the report. Is there anything we can do? Hyper 0.14 support has just landed with #92, but if you need surf with tokio support, hyper 0.13 still seems to be your only choice

@jyoung15
Copy link

These CVEs are still outstanding as well as dependencies on the time and tokio crates. From trivy output:

Cargo.lock (cargo)

Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌─────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├─────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ hyper   │ GHSA-f67m-9j94-qv9j │ HIGH     │ 0.13.10           │ 0.14.12       │ Parser creates invalid uninitialized value               │
│         │                     │          │                   │               │ https://github.com/advisories/GHSA-f67m-9j94-qv9j        │
│         ├─────────────────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────┤
│         │ CVE-2021-32714      │ MEDIUM   │                   │ 0.14.10       │ hyper is an HTTP library for Rust. In versions prior to  │
│         │                     │          │                   │               │ 0.14.10,...                                              │
│         │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-32714               │
│         ├─────────────────────┼──────────┤                   │               ├──────────────────────────────────────────────────────────┤
│         │ CVE-2021-32715      │ LOW      │                   │               │ hyper is an HTTP library for rust. hyper's HTTP/1 server │
│         │                     │          │                   │               │ code had...                                              │
│         │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-32715               │
├─────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ time    │ CVE-2020-26235      │ MEDIUM   │ 0.1.45            │ 0.2.23        │ Segmentation fault in time                               │
│         │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-26235               │
├─────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ tokio   │ CVE-2021-45710      │ HIGH     │ 0.2.25            │ 1.13.1, 1.8.4 │ tokio: Race leads to panic in oneshot::Sender::send()    │
│         │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-45710               │
└─────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

jyoung15 added a commit to jyoung15/influxdb-rust that referenced this issue Dec 16, 2022
@jyoung15
Updates to address vulnerabilities in upstream dependencies. Fixes in…
8fc7b83 
…fluxdb-rs#95
@msrd0
Copy link
Collaborator

msrd0 commented Dec 16, 2022

@jyoung15 We do not depend directly on any of the libraries you listed above. Neither do we require the use of these libraries, or enable them by default. We have a reqwest-client option available that uses hyper 0.14 and tokio 1.0, and we disable the default features of chrono, so we don't have a dependency to time 0.1 at all. Unless you explicitly choose to enable the hyper-client, you are not affected by these vulnerabilities at all. Since surf did not yet update to a newer hyper client, there is nothing we can do. Please file an issue with surf if you are concerned.

@msrd0 msrd0 closed this as completed Dec 16, 2022
jyoung15 added a commit to jyoung15/influxdb-rust that referenced this issue Dec 17, 2022
@jyoung15
Updates to address vulnerabilities in upstream dependencies. Fixes in…
8d9e841 
…fluxdb-rs#95
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tumbl3w33d @jyoung15 @msrd0