RUSTSEC-2020-0146: arr! macro erases lifetimes

[github-actions]

arr! macro erases lifetimes

Details
Package	generic-array
Version	0.12.3
URL	fizyk20/generic-array#98
Date	2020-04-09
Patched versions	>=0.14.0
Unaffected versions	<0.8.0

Affected versions of this crate allowed unsoundly extending
lifetimes using arr! macro. This may result in a variety of
memory corruption scenarios, most likely use-after-free.

See advisory page for additional details.

[tensor-programming]

We don't use this crate to my knowledge at least not directly.

[nothingismagick]

It is because of outdated transient deps in libp2p-core
libp2p/rust-libp2p#1980

[nothingismagick]

paritytech/libsecp256k1#66

[mbrubeck]

A patched version generic-array 0.12.4 is now available, so you can now fix this just by running:

cargo update -p generic-array:0.12.3

[tensor-programming]

A patched version generic-array 0.12.4 is now available, so you can now fix this just by running:

cargo update -p generic-array:0.12.3

We don't use the generic_array library in stronghold. This is a matter for the libp2p team to update. We could patch it but I suspect that might cause further issues.

[mbrubeck]

To clarify, the cargo update command is only necessary for consumers of this crate, or for developers’ local machines that have Cargo.lock files on disk referencing the old version of generic-array. That command will update the local Cargo.lock file to the new version of generic-array.

For builds done from a fresh checkout of the stronghold.rs repo, no action is necessary. Cargo will automatically select generic-array 0.12.4, which contains the fix, by default.