pijul/pijul - Discussion #919 - [AUDIT] cargo audit found 1 vuln and 3 warns

#919 [AUDIT] cargo audit found 1 vuln and 3 warns

Opened by tankf33der on March 30, 2024
tankf33der on March 30, 2024
Today I have learned something new:
cd pijul
cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /home/mpech/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (429 crate dependencies)
Crate:     ed25519-dalek
Version:   1.0.1
Title:     Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
Date:      2022-06-11
ID:        RUSTSEC-2022-0093
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0093
Solution:  Upgrade to >=2
Dependency tree:
ed25519-dalek 1.0.1
└── libpijul 1.0.0-beta.10
    ├── pijul-repository 0.0.1
    │   ├── pijul-remote 1.0.0-beta.6
    │   │   └── pijul 1.0.0-beta.9
    │   ├── pijul-identity 0.0.1
    │   │   ├── pijul-remote 1.0.0-beta.6
    │   │   └── pijul 1.0.0-beta.9
    │   └── pijul 1.0.0-beta.9
    ├── pijul-remote 1.0.0-beta.6
    ├── pijul-identity 0.0.1
    └── pijul 1.0.0-beta.9

Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── ptree 0.4.0
    └── pijul 1.0.0-beta.9

Crate:     memmap
Version:   0.7.0
Warning:   unmaintained
Title:     memmap is unmaintained
Date:      2020-12-02
ID:        RUSTSEC-2020-0077
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0077
Dependency tree:
memmap 0.7.0
└── sanakirja 1.4.1
    ├── pijul-remote 1.0.0-beta.6
    │   └── pijul 1.0.0-beta.9
    ├── pijul 1.0.0-beta.9
    └── libpijul 1.0.0-beta.10
        ├── pijul-repository 0.0.1
        │   ├── pijul-remote 1.0.0-beta.6
        │   ├── pijul-identity 0.0.1
        │   │   ├── pijul-remote 1.0.0-beta.6
        │   │   └── pijul 1.0.0-beta.9
        │   └── pijul 1.0.0-beta.9
        ├── pijul-remote 1.0.0-beta.6
        ├── pijul-identity 0.0.1
        └── pijul 1.0.0-beta.9

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── ptree 0.4.0
│   └── pijul 1.0.0-beta.9
├── pijul 1.0.0-beta.9
└── env_logger 0.8.4
    ├── quickcheck 1.0.3
    │   └── libpijul 1.0.0-beta.10
    │       ├── pijul-repository 0.0.1
    │       │   ├── pijul-remote 1.0.0-beta.6
    │       │   │   └── pijul 1.0.0-beta.9
    │       │   ├── pijul-identity 0.0.1
    │       │   │   ├── pijul-remote 1.0.0-beta.6
    │       │   │   └── pijul 1.0.0-beta.9
    │       │   └── pijul 1.0.0-beta.9
    │       ├── pijul-remote 1.0.0-beta.6
    │       ├── pijul-identity 0.0.1
    │       └── pijul 1.0.0-beta.9
    ├── pijul 1.0.0-beta.9
    └── libpijul 1.0.0-beta.10

error: 1 vulnerability found!
warning: 3 allowed warnings found
tankf33der on March 30, 2024
By default and without cargo update audit founds additional two.