RUSTSEC-2020-0146 update cookie

[ralpha]

There was a vulnerability found in generic-array.
The effected version is still part of the dependency tree of rocket_http v0.4.7 and thus all part of Rocket.

ID:       RUSTSEC-2020-0146
Crate:    generic-array
Version:  0.12.3
Date:     2020-04-09
URL:      https://rustsec.org/advisories/RUSTSEC-2020-0146
Title:    arr! macro erases lifetimes
Solution:  upgrade to >= 0.14.0
Dependency tree: 
generic-array 0.12.3

generic-array v0.12.3
├── aead v0.2.0
│   └── aes-gcm v0.5.0
│       └── cookie v0.11.3
│           └── rocket_http v0.4.7
│               ├── rocket v0.4.7

This has been recently added to RustSec advisory database and has thus triggered by automated tools.

You can find more info here:
https://rustsec.org/advisories/RUSTSEC-2020-0146
fizyk20/generic-array#98

It would be advised to create a new minor release where cookie is updated to a later version. I see @SergioBenitez recently update cookie to a new version so it is already fixed in there. I hope this does not trigger (to many) breaking changes.

[SergioBenitez]

Thanks! 0.11.4 has been released.

[ralpha]

Just making sure you got this correct. The crate rocket and rocket_http requires an update for this too. That is why I posted it in there originally.

[SergioBenitez]

Just making sure you got this correct. The crate rocket and rocket_http requires an update for this too. That is why I posted it in there originally.

No, that's not how Cargo dependencies work. rocket_http specifies the dependency cookie = "0.11.3". The version string 0.11.3 is equivalent to ^0.11.3 which is equivalent to >= 0.11.3, < 0.12.0, which includes 0.11.4. You simply need to run cargo update to fetch the latest valid dependency.

[ralpha]

Yes sorry, you are right. Thanks for the update and very quick response. The pipelines work again 👍