Overview
Request 946285 accepted
- Update some dependencies
* build(deps): bump nix from 0.17.0 and 0.20.0 to 0.23.1
This fixes the following security issues:
https://rustsec.org/advisories/RUSTSEC-2021-0119
* build(deps): bump generic-array from 0.12.3 to 0.12.4
This fixes a security issue:
https://rustsec.org/advisories/RUSTSEC-2020-0146 AKA CVE-2020-36465
* build(deps): bump futures-util from 0.3.6 to 0.3.15
This fixes a security issue:
https://rustsec.org/advisories/RUSTSEC-2020-0059 AKA CVE-2020-35905
* build(deps): bump rand_core from 0.6.1 to 0.6.3
This fixes a security issue:
https://rustsec.org/advisories/RUSTSEC-2021-0023
AKA CVE-2021-27378, bsc#1182432
* build(deps): bump hyper from 0.14.2 to 0.14.11
This fixes two security issues:
https://rustsec.org/advisories/RUSTSEC-2021-0078
AKA CVE-2021-32715, bsc#1188173
https://rustsec.org/advisories/RUSTSEC-2021-0079
AKA CVE-2021-32714, bsc#1188174
* build(deps): bump tokio from 1.0.1 to 1.15.0
This fixes two security issues:
https://rustsec.org/advisories/RUSTSEC-2021-0124
AKA CVE-2021-45710, bsc#1194119
https://rustsec.org/advisories/RUSTSEC-2021-0072 AKA CVE-2021-38191
- Remove cargo_audit service, as it makes no sense as a service (it doesn't
automatically get rerun), it would make more sense during the build process
as then it gets rerun if the package or the vulnerability database get
changed
- switch services from disabled to manual
- Created by jzerebecki
- In state accepted
- 6 package maintainers
- Supersedes 944179
Request History
jzerebecki created request
- Update some dependencies
* build(deps): bump nix from 0.17.0 and 0.20.0 to 0.23.1
This fixes the following security issues:
https://rustsec.org/advisories/RUSTSEC-2021-0119
* build(deps): bump generic-array from 0.12.3 to 0.12.4
This fixes a security issue:
https://rustsec.org/advisories/RUSTSEC-2020-0146 AKA CVE-2020-36465
* build(deps): bump futures-util from 0.3.6 to 0.3.15
This fixes a security issue:
https://rustsec.org/advisories/RUSTSEC-2020-0059 AKA CVE-2020-35905
* build(deps): bump rand_core from 0.6.1 to 0.6.3
This fixes a security issue:
https://rustsec.org/advisories/RUSTSEC-2021-0023
AKA CVE-2021-27378, bsc#1182432
* build(deps): bump hyper from 0.14.2 to 0.14.11
This fixes two security issues:
https://rustsec.org/advisories/RUSTSEC-2021-0078
AKA CVE-2021-32715, bsc#1188173
https://rustsec.org/advisories/RUSTSEC-2021-0079
AKA CVE-2021-32714, bsc#1188174
* build(deps): bump tokio from 1.0.1 to 1.15.0
This fixes two security issues:
https://rustsec.org/advisories/RUSTSEC-2021-0124
AKA CVE-2021-45710, bsc#1194119
https://rustsec.org/advisories/RUSTSEC-2021-0072 AKA CVE-2021-38191
- Remove cargo_audit service, as it makes no sense as a service (it doesn't
automatically get rerun), it would make more sense during the build process
as then it gets rerun if the package or the vulnerability database get
changed
- switch services from disabled to manual
doreilly accepted request
Sorry William, under pressure to get Afterburn updated, so can't wait any longer deciding on cargo_audit.
There are good reasons to have this. First, if you are NOT using cargo_vendor update=true, then it's a gating behaviour for the maintainer to ensure they are not committing known vulnerable code.
Second, it also demonstrates that the maintainer is proactively considering security issues, but also that the package is compatible and pre-configured to work with cargo_audit. We have a security scanner written by me that product security automates that consumes the cargo_audit service if it is configured for a package.
So I would ask you to reenable cargo_audit here for these reasons.
@jzerebecki, @sayalilunkad: review reminder