Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update hashbrown deps due to security #1955

Merged
merged 1 commit into from
Dec 17, 2024
Merged

Update hashbrown deps due to security #1955

merged 1 commit into from
Dec 17, 2024

Conversation

quanterion
Copy link
Contributor

@quanterion quanterion commented Dec 17, 2024
edited
Loading

In Microsoft we recently got a security notification due to usage of hashbrown 0.15.0
The borsh serialization of the HashMap did not follow the borsh specification. It potentially produced non-canonical encodings dependent on insertion order. It also did not perform canonicty checks on decoding.

This can result in consensus splits and cause equivalent objects to be considered distinct.

This was patched in 0.15.1.

alexcrichton
alexcrichton approved these changes Dec 17, 2024
View reviewed changes
Copy link
Member

@alexcrichton alexcrichton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@alexcrichton alexcrichton added this pull request to the merge queue Dec 17, 2024
Merged via the queue into bytecodealliance:main with commit 1b0831c Dec 17, 2024
30 checks passed
@quanterion
Copy link
Contributor Author

@alexcrichton is there a place where I can look for approximate release schedule?

@sunfishcode
Copy link
Member

@quanterion I've now published a new wasm-tools including this PR.

@BrewTestBot BrewTestBot mentioned this pull request Dec 18, 2024
Merged
@alexcrichton
Copy link
Member

@quanterion note that a release isn't necessary for this PR (although I realize it's already been done) as that's not how cargo dependencies work. The dependency directives here are a minimum bound, not a range, so the fixed versions could already be used in downstream crates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexcrichton alexcrichton alexcrichton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@quanterion @sunfishcode @alexcrichton