-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerabilities found by cargo audit #277
Comments
Such things is one of the reasons (or maybe a primary reason) why I rewritten it using modern dependencies. It is impractical to close all those things - maybe porting the features to 4.0.0 branch would be simpler. I hope that most of the things should not be (easily) reachable from Websocat. For example:
Websockets do not use
WebSockets do not use
As far as I remember, it's about environment variables and setting timezone or something like that. Obviously Websocat does not use In general The most important security-related dependency - OpenSSL - should be up to date even with v1 branch. Maybe try to package The only Note that a lot of Websocat1 features are missing at the moment (porting is tracked at #276). If Websocat is unpackaged at the moment it may be less of a problem, but automatic update from
Is it the first time OpenSUSE packages Websocat (i.e. v1.14.0 is a starting version) or it is an update? v1.14.0 is not significantly different from Maybe The only correctness change of |
websocat is currently only available in the "network:utilities" add-on repository and not (yet) in of openSUSE's official distributions like Tumbleweed, Leap, ... It's a package update but passing "cargo audit" is a new requirement for packages since some time (at least for those in the official distribution) thus the package builds are failing. websocat
websocat |
Shall I review those specific RUSTSECs how (and if) they affect Websocat1?
It may take a while. Next Websocat4 release would probably be "beta" or something like that. |
That would be nice.
Thanks for letting me know. |
RUSTSEC-2021-0078
This looks like a minor, obscure thing. I'm not even sure that accepting more requests that RFC suggest is a real problem - buggy proxies (especially usage of them for security) may be the real problem instead. Websocat accept HTTP requests in two ways:
There are no mentions of Vulnerability score seems to be somewhat inflated for this. And Websocat (at least as of version 1) does not aim to cross the t-s and dot the i-s regarding to web standards anyway. Websocat4 may be a bit better in that regard, but mostly implicitly (by using more modern dependencies). RUSTSEC-2021-0079
How can "desync" even get such high score if it relies on a bad proxy? Websocat just does not support RUSTSEC-2021-0124
Websocat1 uses |
Hello,
I am one of the openSUSE websocat package maintainers.
The package build routines nowadays include a check via cargo audit to only allow updates without security vulnerabilities.
The current version v1.14.0 fails that check because of the following discovered vulnerabilities:
The text was updated successfully, but these errors were encountered: