Bug #18766: Security vulnerability in arc-swap - Rudder - Issue Tracker

Actions

Copy link

Bug #18766

closed

Security vulnerability in arc-swap

Added by Alexis Mousset over 3 years ago. Updated about 3 years ago.

Status:

Released

Priority:

N/A

Assignee:

Gaëtan POBLON

Category:

Relay server or API

Target version:

6.1.8

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

To do

Fix check:

Checked

Regression:

Description

error[A001]: Dangling reference in `access::Map` with Constant
  ┌─ /home/amousset/projects/rudder/relay/sources/relayd/Cargo.lock:3:1
  │
3 │ arc-swap 0.4.6 registry+https://github.com/rust-lang/crates.io-index
  │ -------------------------------------------------------------------- security vulnerability detected
  │
  = ID: RUSTSEC-2020-0091
  = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0091
  = Using the `arc_swap::access::Map` with the `Constant` test helper (or with
    user-provided implementation of the `Access` trait) could sometimes lead to the
    map returning dangling references.

    Replaced by implementation without `unsafe`, at the cost of added `Clone` bound
    on the closure and small penalty on performance.
  = Announcement: https://github.com/vorner/arc-swap/issues/45
  = Solution: Upgrade to >=1.1.0 OR >=0.4.8
  = arc-swap v0.4.6
    └── signal-hook-registry v1.2.0
        └── tokio-signal v0.2.9
            ├── relayd v0.0.0-dev
            └── tokio-process v0.2.5
                └── relayd v0.0.0-dev (*)

only present on 6.1.