-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-26235 advisory for time 0.1 dependency #602
Comments
|
Everything below 0.2.7 is unaffected: However chrono does seem somewhat unmaintained, so maybe it makes sense to just switch to time 0.3 as your dependency entirely, which covers a lot of chrono's surface area, while also reducing the dependency count. |
Many projects are using chrono, they all have to drop chrono and use time 0.3, as you suggested.
|
Actually, this conversation is founded on a wrong assumption. chrono has the issue not because of its time 0.1 dependency, but because it directly calls So unless I'm missing something, while it's unfortunate that the PR to update to time 0.3 hasn't been merged for a long time, it also won't actually fix the crash reported here. |
@Arnavion wrote:
Should a separate security advisory be issued for chrono then, in addition to the one for time that transitively affects chrono? |
Yeah definitely. |
I've opened a PR to add an advisory for |
After reading through the issues: would using a shared lock for If so, I'd be happy to try and implement it. In the hopes of it getting merged of course. |
Per the discussion on time#293 it sounds like the best solution would be to reimplement |
Yep I think that would be the proper thing to do longterm. And the less explicit dependency on libc, the better. |
… Removing this subdependency is required by an advisory [here (CVE-2020-26235)](chronotope/chrono#602).
It is about some old version of the time crate used by chrono, but the chrono authors say that they don't actually use the affected functions. See chronotope/chrono#602 (comment)
FWIW, we've released chrono 0.4.30 without the time 0.1 dependency. See the release notes for more context. |
Getting rid of the old time 0.1 dependency is desirable as it isn't maintained anymore and triggers security alerts due CVE-2020-26235 [0]. The chrono crate finally dropped the dependency on time in version 0.4.30 [1]. [0]: https://github.com/science-computing/butido/security/dependabot/4 [1]: chronotope/chrono#602 (comment) Signed-off-by: Michael Weiss <michael.weiss@atos.net>
Update and lock patch versions for all dependencies. Addresses: chronotope/chrono#602
Update and lock patch versions for all dependencies. Addresses: chronotope/chrono#602
Getting rid of the old time 0.1 dependency is desirable as it isn't maintained anymore and triggers security alerts due CVE-2020-26235 [0]. The chrono crate finally dropped the dependency on time in version 0.4.30 [1]. [0]: https://github.com/science-computing/butido/security/dependabot/4 [1]: chronotope/chrono#602 (comment) Signed-off-by: Michael Weiss <michael.weiss@atos.net>
Please update time dependency.
Inverse Dependency graph
time 0.1.44 (registry+https://github.com/rust-lang/crates.io-index)
└── chrono 0.4.19 (registry+https://github.com/rust-lang/crates.io-index)
The text was updated successfully, but these errors were encountered: