crates.io version of exonum contains multiple severe vulnerabilities

[phayes]

Hi there,

The version of exonum that is contained on crates.io contains multiple severe vulnerabilities. It looks like these vulnerabilities are fixed on github, but no release has been pushed to crates.io for a year. Could you please make a 1.0.1 or 1.1.0 release?

Specifically:

1. RUSTSEC-2018-0007 (Stack overflow when parsing malicious DNS packet).
2. RUSTSEC-2020-0049 (Use-after-free in Framed).
3. RUSTSEC-2020-0048 (Use-after-free in BodyStream)

[aleksuss]

Hello. Yes, I know about these vulnerabilities. I'm waiting for actix-web 4.0.0 and actix-web-actors 4.0.0 releases. After that I plan to create a new release of the exonum.

[phayes]

Thanks @aleksuss,

I appreciate you putting in the effort to maintain this project. I recently adopted exonum as the backend for my CryptoBallot project (https://github.com/cryptoballot/cryptoballot), and it fit my needs nearly perfectly.

[djc]

actix-web 4 has been released for over a year now. We're considering breaking the actix-http 1.x range of dependencies in order to fix a vulnerability report in chrono: chronotope/chrono#1095. Consider yourself warned that we may break actix-http 1.x going forward.