Project

General

Profile

Actions
Copy link

Bug #18766

closed

Security vulnerability in arc-swap

Added by Alexis Mousset almost 4 years ago. Updated almost 4 years ago.

Status:
Released
Priority:
N/A
Assignee:
Gaëtan POBLON
Category:
Relay server or API
Target version:
6.1.8
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

error[A001]: Dangling reference in `access::Map` with Constant
  ┌─ /home/amousset/projects/rudder/relay/sources/relayd/Cargo.lock:3:1
  │
3 │ arc-swap 0.4.6 registry+https://github.com/rust-lang/crates.io-index
  │ -------------------------------------------------------------------- security vulnerability detected
  │
  = ID: RUSTSEC-2020-0091
  = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0091
  = Using the `arc_swap::access::Map` with the `Constant` test helper (or with
    user-provided implementation of the `Access` trait) could sometimes lead to the
    map returning dangling references.

    Replaced by implementation without `unsafe`, at the cost of added `Clone` bound
    on the closure and small penalty on performance.
  = Announcement: https://github.com/vorner/arc-swap/issues/45
  = Solution: Upgrade to >=1.1.0 OR >=0.4.8
  = arc-swap v0.4.6
    └── signal-hook-registry v1.2.0
        └── tokio-signal v0.2.9
            ├── relayd v0.0.0-dev
            └── tokio-process v0.2.5
                └── relayd v0.0.0-dev (*)

only present on 6.1.

Actions
Copy link

Also available in: Atom PDF