Actions
Bug #19833
closedData race in crossbeam-deque
Status:
Released
Priority:
N/A
Assignee:
Category:
Relay server or API
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
Description
error[A001]: Data race in crossbeam-deque [2021-08-22T16:36:46.604Z] ┌─ /srv/jenkins/workspace/dependencies_branches_rudder_6.1/relay/sources/relayd/Cargo.lock:37:1 [2021-08-22T16:36:46.604Z] │ [2021-08-22T16:36:46.604Z] 37 │ crossbeam-deque 0.7.3 registry+https://github.com/rust-lang/crates.io-index [2021-08-22T16:36:46.604Z] │ --------------------------------------------------------------------------- security vulnerability detected [2021-08-22T16:36:46.604Z] │ [2021-08-22T16:36:46.604Z] = ID: RUSTSEC-2021-0093 [2021-08-22T16:36:46.604Z] = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0093 [2021-08-22T16:36:46.604Z] = In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. [2021-08-22T16:36:46.604Z] [2021-08-22T16:36:46.604Z] Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. [2021-08-22T16:36:46.604Z] [2021-08-22T16:36:46.604Z] Credits to @kmaork for discovering, reporting and fixing the bug. [2021-08-22T16:36:46.605Z] = Announcement: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw [2021-08-22T16:36:46.605Z] = Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1 [2021-08-22T16:36:46.605Z] = crossbeam-deque v0.7.3 [2021-08-22T16:36:46.605Z] ├── rayon v1.3.0 [2021-08-22T16:36:46.605Z] │ └── criterion v0.3.2 [2021-08-22T16:36:46.605Z] │ └── (dev) relayd v0.0.0-dev [2021-08-22T16:36:46.605Z] ├── rayon-core v1.7.0 [2021-08-22T16:36:46.605Z] │ └── rayon v1.3.0 (*) [2021-08-22T16:36:46.605Z] └── tokio-threadpool v0.1.18 [2021-08-22T16:36:46.605Z] ├── hyper v0.12.36 [2021-08-22T16:36:46.605Z] │ ├── hyper-tls v0.3.2 [2021-08-22T16:36:46.605Z] │ │ └── reqwest v0.9.24 [2021-08-22T16:36:46.605Z] │ │ └── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] │ ├── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] │ ├── reqwest v0.9.24 (*) [2021-08-22T16:36:46.605Z] │ └── warp v0.1.22 [2021-08-22T16:36:46.605Z] │ └── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] ├── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] ├── reqwest v0.9.24 (*) [2021-08-22T16:36:46.605Z] ├── tokio v0.1.22 [2021-08-22T16:36:46.605Z] │ ├── hyper v0.12.36 (*) [2021-08-22T16:36:46.605Z] │ ├── inotify v0.7.0 [2021-08-22T16:36:46.605Z] │ │ └── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] │ ├── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] │ ├── reqwest v0.9.24 (*) [2021-08-22T16:36:46.605Z] │ └── warp v0.1.22 (*) [2021-08-22T16:36:46.605Z] ├── tokio-fs v0.1.7 [2021-08-22T16:36:46.605Z] │ └── tokio v0.1.22 (*) [2021-08-22T16:36:46.605Z] └── warp v0.1.22 (*)
Updated by Alexis Mousset over 3 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset over 3 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder/pull/3842
Updated by Alexis Mousset over 3 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|2d8f586214c6a3d8ece1ab711bf8cf7212c79f8a.
Updated by Vincent MEMBRÉ over 3 years ago
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ over 3 years ago
This bug has been fixed in Rudder 6.1.16 and 6.2.10 which were released today.
Updated by Alexis Mousset over 2 years ago
- Target version changed from 6.1.16 to 6.2.16
Updated by Alexis Mousset over 2 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.2.16, 7.0.5 and 7.1.3 which were released today.
Actions