Actions
Bug #19833
closed
Data race in crossbeam-deque
Status:
Released
Priority:
N/A
Assignee:
Category:
Relay server or API
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
Description
error[A001]: Data race in crossbeam-deque [2021-08-22T16:36:46.604Z] ┌─ /srv/jenkins/workspace/dependencies_branches_rudder_6.1/relay/sources/relayd/Cargo.lock:37:1 [2021-08-22T16:36:46.604Z] │ [2021-08-22T16:36:46.604Z] 37 │ crossbeam-deque 0.7.3 registry+https://github.com/rust-lang/crates.io-index [2021-08-22T16:36:46.604Z] │ --------------------------------------------------------------------------- security vulnerability detected [2021-08-22T16:36:46.604Z] │ [2021-08-22T16:36:46.604Z] = ID: RUSTSEC-2021-0093 [2021-08-22T16:36:46.604Z] = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0093 [2021-08-22T16:36:46.604Z] = In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. [2021-08-22T16:36:46.604Z] [2021-08-22T16:36:46.604Z] Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. [2021-08-22T16:36:46.604Z] [2021-08-22T16:36:46.604Z] Credits to @kmaork for discovering, reporting and fixing the bug. [2021-08-22T16:36:46.605Z] = Announcement: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw [2021-08-22T16:36:46.605Z] = Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1 [2021-08-22T16:36:46.605Z] = crossbeam-deque v0.7.3 [2021-08-22T16:36:46.605Z] ├── rayon v1.3.0 [2021-08-22T16:36:46.605Z] │ └── criterion v0.3.2 [2021-08-22T16:36:46.605Z] │ └── (dev) relayd v0.0.0-dev [2021-08-22T16:36:46.605Z] ├── rayon-core v1.7.0 [2021-08-22T16:36:46.605Z] │ └── rayon v1.3.0 (*) [2021-08-22T16:36:46.605Z] └── tokio-threadpool v0.1.18 [2021-08-22T16:36:46.605Z] ├── hyper v0.12.36 [2021-08-22T16:36:46.605Z] │ ├── hyper-tls v0.3.2 [2021-08-22T16:36:46.605Z] │ │ └── reqwest v0.9.24 [2021-08-22T16:36:46.605Z] │ │ └── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] │ ├── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] │ ├── reqwest v0.9.24 (*) [2021-08-22T16:36:46.605Z] │ └── warp v0.1.22 [2021-08-22T16:36:46.605Z] │ └── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] ├── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] ├── reqwest v0.9.24 (*) [2021-08-22T16:36:46.605Z] ├── tokio v0.1.22 [2021-08-22T16:36:46.605Z] │ ├── hyper v0.12.36 (*) [2021-08-22T16:36:46.605Z] │ ├── inotify v0.7.0 [2021-08-22T16:36:46.605Z] │ │ └── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] │ ├── relayd v0.0.0-dev (*) [2021-08-22T16:36:46.605Z] │ ├── reqwest v0.9.24 (*) [2021-08-22T16:36:46.605Z] │ └── warp v0.1.22 (*) [2021-08-22T16:36:46.605Z] ├── tokio-fs v0.1.7 [2021-08-22T16:36:46.605Z] │ └── tokio v0.1.22 (*) [2021-08-22T16:36:46.605Z] └── warp v0.1.22 (*)
Updated by 
Updated by
Actions