Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RUSTSEC-2020-0002]: Upgrade to prost 0.6.1 #1639

Closed
lukesteensen opened this issue Jan 30, 2020 · 1 comment · Fixed by #3017
Closed

[RUSTSEC-2020-0002]: Upgrade to prost 0.6.1 #1639

lukesteensen opened this issue Jan 30, 2020 · 1 comment · Fixed by #3017
Assignees
@fanatid
Labels
domain: security Anything related to security have: should We should have this feature, but is not required. It is medium priority. source: vector Anything `vector` source related type: tech debt A code change that does not add user value.

Comments

@lukesteensen
Copy link
Member

https://rustsec.org/advisories/RUSTSEC-2020-0002.html

The version of prost we're using is vulnerable to stack overflows when parsing untrusted inputs. The most likely impact for users is the possibility for denial of service on any public-facing vector sources. I don't imagine this is a common scenario, but we should upgrade nonetheless.

The biggest hurdle here is that the new version of prost pulls in a new version of bytes, which we use widely. Due to other dependencies that will likely remain on the current version of bytes for some time, we'll need a plan for them to cohabitate.
@lukesteensen lukesteensen added type: tech debt A code change that does not add user value. source: vector Anything `vector` source related domain: security Anything related to security labels Jan 30, 2020
@lukesteensen lukesteensen mentioned this issue Feb 9, 2020
Closed
@binarylogic binarylogic added this to the Tech-debt payment #1: Move to Tokio 0.2/Futures 0.3 milestone Feb 22, 2020
@binarylogic
Copy link
Contributor

This is part of our larger dependency upgrade plan and will be at the tail end. This specific security advisory is not applicable to Vector so we are not changing priority.

@binarylogic binarylogic added the have: should We should have this feature, but is not required. It is medium priority. label May 26, 2020
@fanatid fanatid self-assigned this Jul 10, 2020
@fanatid fanatid mentioned this issue Jul 10, 2020
Merged
@binarylogic binarylogic removed this from the Tech-Debt Payment #1: Move to Tokio 0.2/Futures 0.3 milestone Jul 20, 2020
@vector-vic vector-vic mentioned this issue Sep 16, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fanatid fanatid

Labels
domain: security Anything related to security have: should We should have this feature, but is not required. It is medium priority. source: vector Anything `vector` source related type: tech debt A code change that does not add user value.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): update prost vectordotdev/vector
4 participants
@lukesteensen @binarylogic @fanatid @LucioFranco