-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Patched Fix openssl
X509StoreRef::objects
is unsound
#394
Conversation
This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back. Use of this function should be replaced with `X509StoreRef::all_certificates.`
Pull Request Test Coverage Report for Build 8423840451Details
💛 - Coveralls |
Hey, I don't quite follow this - there aren't any code changes other than a version bump in the lockfile, so I'm not sure if this would actually fix the mentioned issue? We only work with certificates in the |
I see, the relevant issue is sfackler/rust-openssl#2096? Looks like CI is failing, so will have to look into that. And ideally bump whichever crate indirectly depends on OpenSSL as well. |
this should also be addressed in the |
@@ -942,11 +925,11 @@ checksum = "0ab1bc2a289d34bd04a330323ac98a1b4bc82c9d9fcb1e66b63caa84da26b575" | |||
|
|||
[[package]] | |||
name = "openssl" | |||
version = "0.10.55" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -108,23 +108,6 @@ version = "1.0.0" | |||
source = "registry+https://github.com/rust-lang/crates.io-index" | |||
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" | |||
|
|||
[[package]] | |||
name = "chia-bls" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated some packages to avoid the attacks I listed. I hope in the future. this version is always updated. because every vulnerability will exist every year. according to CVE / CWE standards.
thanks for your contribution, this was merged into one big pr and included |
Thanks! Included in #435. |
This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back.
Use of this function should be replaced with
X509StoreRef::all_certificates.