Correct affected version range on RUSTSEC-2019-003[34] to patched at 0.1.20 #221
Conversation
…0.1.20 I believe these two vulnerabilities were patched at 0.1.20. For RUSTSEC-2019-0033: The advisory links to the bug: hyperium/http#352 In that bug, the fixing PR was hyperium/http#360 That PR merged the commit 81ceb61 to fix the bug; that commit, according to GitHub, was first picked up by tag v0.1.20 ([commit][1]). [1]: hyperium/http@81ceb61 For RUSTSEC-2019-0034: This advisory is two separate GitHub issues against `HeaderMap::drain`, http rustsec#354 and http rustsec#355. For the first: the issue: hyperium/http#354 In that bug, the fixing PR was hyperium/http#357 That PR merged the commit 82d53db to fix the bug; that commit, according to GitHub, was first picked up by tag v0.1.20 ([commit][2]). [2]: hyperium/http@82d53db For the second: the issue: hyperium/http#355 In that bug, the fixing PR was hyperium/http#362 That PR merged the commit 8ffe094 to fix the bug; that commit, according to GitHub, was first picked up by tag v0.1.20 ([commit][3]). [3]: hyperium/http@8ffe094
|
Thanks. It looks like this is correct. Will merge when green. |
|
I've also commented to the effect on the original PR: #218 (comment) Please double check my work here, as getting the wrong has the potential side-effect of missing vulnerable packages, something we definitely don't want! @Qwaz, since you were the original reporter, and in case you have some additional insight. |
|
Okay, will wait for a second confirmation before merging. |
|
Hey, I'm a complete outsider, who is tripped on this advisory! First of all, thanks for maintaining this crate and its db!! When reviewing this PR, this compare view is very illustrating in that |
|
Ok, that seems sufficient to merge. Would still appreciate a retroactive OK from @Qwaz |
|
Yes, it seems that the bug was fixed in v0.1.20. Thank you for correcting this error. |
For details see upstream PR: rustsec/advisory-db#221
For details see upstream PR: rustsec/advisory-db#221
For details see upstream PR: rustsec/advisory-db#221
For details see upstream PR: rustsec/advisory-db#221 (cherry picked from commit 699ca5f) # Conflicts: # ci/test-checks.sh
For details see upstream PR: rustsec/advisory-db#221 (cherry picked from commit 699ca5f)
For details see upstream PR: rustsec/advisory-db#221
I believe these two vulnerabilities were patched at 0.1.20.
For RUSTSEC-2019-0033:
The advisory links to the bug: hyperium/http#352
In that bug, the fixing PR was hyperium/http#360
That PR merged the commit 81ceb61 to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 (commit).
For RUSTSEC-2019-0034:
This advisory is two separate GitHub issues against
HeaderMap::drain,http #354 and http #355.
For the first: the issue: hyperium/http#354
In that bug, the fixing PR was hyperium/http#357
That PR merged the commit 82d53db to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 (commit).
For the second: the issue: hyperium/http#355
In that bug, the fixing PR was hyperium/http#362
That PR merged the commit 8ffe094 to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 (commit).