Skip to content
This repository was archived by the owner on Nov 6, 2020. It is now read-only.

error: Vulnerable crates found! #9722

Closed
5chdn opened this issue Oct 9, 2018 · 5 comments
Closed

error: Vulnerable crates found! #9722

5chdn opened this issue Oct 9, 2018 · 5 comments
Assignees
@kirushik
Labels
F1-security 🛡 The client fails to follow expected, security-sensitive, behaviour. M5-dependencies 🖇 Dependencies. P2-asap 🌊 No need to stop dead in your tracks, however issue should be addressed as soon as possible.
Milestone
2.2

Comments

@5chdn
Copy link
Contributor

5chdn commented Oct 9, 2018

  • Parity Ethereum version: 2.1.2
  • Operating system: Linux
  • Installation: built from source
  • Fully synchronized: no
  • Network: ethereum
  • Restarted: yes
    Scanning Cargo.lock for vulnerabilities (385 crate dependencies)
error: Vulnerable crates found!

ID:	 RUSTSEC-2018-0003
Crate:	 smallvec
Version: 0.2.1
Date:	 2018-07-19
URL:	 https://github.com/servo/rust-smallvec/issues/96
Title:	 Possible double free during unwinding in SmallVec::insert_many
Solution: upgrade to: >= 0.6.3 OR ^0.3.4 OR ^0.4.5 OR ^0.5.1

ID:	 RUSTSEC-2018-0001
Crate:	 untrusted
Version: 0.5.1
Date:	 2018-06-21
URL:	 https://github.com/briansmith/untrusted/pull/20
Title:	 An integer underflow could lead to panic
Solution: upgrade to: >= 0.6.2

error: 2 vulnerabilities found!
ERROR: Job failed: exit code 1
@5chdn 5chdn added F1-security 🛡 The client fails to follow expected, security-sensitive, behaviour. P2-asap 🌊 No need to stop dead in your tracks, however issue should be addressed as soon as possible. M5-dependencies 🖇 Dependencies. labels Oct 9, 2018
@5chdn
Copy link
Contributor Author

5chdn commented Oct 9, 2018

https://gitlab.parity.io/parity/parity-ethereum/-/jobs/103461

@ordian
Copy link
Member

ordian commented Oct 9, 2018

@5chdn this should be fixed in #9657 (see paritytech/devops/issues/216)

@kirushik kirushik self-assigned this Oct 9, 2018
@5chdn
Copy link
Contributor Author

5chdn commented Oct 9, 2018

This PR is pretty much in limbo. Is it that involved to fix?

@kirushik
Copy link
Collaborator

kirushik commented Oct 9, 2018

@5chdn Yes, it involves re-writing the util/fetch with a new Hyper. I will try to make #9657 happen, that's our safest bet.

@c0gent
Copy link
Contributor

c0gent commented Oct 9, 2018
edited
Loading

I can get #9657 mergable today... Maybe...

@c0gent c0gent mentioned this issue Oct 12, 2018
Merged
12 tasks
@5chdn 5chdn added this to the 2.2 milestone Oct 29, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kirushik kirushik

Labels
F1-security 🛡 The client fails to follow expected, security-sensitive, behaviour. M5-dependencies 🖇 Dependencies. P2-asap 🌊 No need to stop dead in your tracks, however issue should be addressed as soon as possible.
Projects
None yet
Milestone
2.2
Development

No branches or pull requests
4 participants
@kirushik @c0gent @ordian @5chdn