Project

General

Profile

Actions

Bug #18766

closed

Security vulnerability in arc-swap

Added by Alexis Mousset about 4 years ago. Updated almost 4 years ago.

Status:
Released
Priority:
N/A
Assignee:
Gaëtan POBLON
Category:
Relay server or API
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

error[A001]: Dangling reference in `access::Map` with Constant
  ┌─ /home/amousset/projects/rudder/relay/sources/relayd/Cargo.lock:3:1
  │
3 │ arc-swap 0.4.6 registry+https://github.com/rust-lang/crates.io-index
  │ -------------------------------------------------------------------- security vulnerability detected
  │
  = ID: RUSTSEC-2020-0091
  = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0091
  = Using the `arc_swap::access::Map` with the `Constant` test helper (or with
    user-provided implementation of the `Access` trait) could sometimes lead to the
    map returning dangling references.

    Replaced by implementation without `unsafe`, at the cost of added `Clone` bound
    on the closure and small penalty on performance.
  = Announcement: https://github.com/vorner/arc-swap/issues/45
  = Solution: Upgrade to >=1.1.0 OR >=0.4.8
  = arc-swap v0.4.6
    └── signal-hook-registry v1.2.0
        └── tokio-signal v0.2.9
            ├── relayd v0.0.0-dev
            └── tokio-process v0.2.5
                └── relayd v0.0.0-dev (*)

only present on 6.1.

Actions #1

Updated by Alexis Mousset about 4 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset about 4 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder/pull/3446
Actions #3

Updated by Alexis Mousset about 4 years ago

  • Assignee changed from Benoît PECCATTE to Gaëtan POBLON
Actions #4

Updated by Alexis Mousset about 4 years ago

  • Status changed from Pending technical review to Pending release
Actions #5

Updated by Alexis Mousset almost 4 years ago

  • Fix check changed from To do to Checked
Actions #6

Updated by Vincent MEMBRÉ almost 4 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.1.8 and 6.2.1 which were released today.

Actions

Also available in: Atom PDF