Bug #18824
Updated by Alexis Mousset almost 4 years ago
<pre>
07:42:46 cargo deny check
07:42:47 error[A001]: Buffer overflow in SmallVec::insert_many
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:186:1
07:42:47 │
07:42:47 186 │ smallvec 0.6.13 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ --------------------------------------------------------------------- security vulnerability detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2021-0003
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0003
07:42:47 = A bug in the `SmallVec::insert_many` method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.
07:42:47
07:42:47 This bug was only triggered if the iterator passed to `insert_many` yielded more items than the lower bound returned from its `size_hint` method.
07:42:47
07:42:47 The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of `insert_many` to use less unsafe code, so it is easier to verify its correctness.
07:42:47
07:42:47 Thank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.
07:42:47 = Announcement: https://github.com/servo/rust-smallvec/issues/252
07:42:47 = Solution: Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1
07:42:47 = smallvec v0.6.13
07:42:47 └── parking_lot_core v0.6.2
07:42:47 └── parking_lot v0.9.0
07:42:47 └── tokio-reactor v0.1.12
07:42:47 ├── hyper v0.12.35
07:42:47 │ ├── hyper-tls v0.3.2
07:42:47 │ │ └── reqwest v0.9.24
07:42:47 │ │ └── relayd v0.0.0-dev
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── warp v0.1.22
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── inotify v0.7.0
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── tokio v0.1.22
07:42:47 │ ├── hyper v0.12.35 (*)
07:42:47 │ ├── inotify v0.7.0 (*)
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── warp v0.1.22 (*)
07:42:47 ├── tokio-process v0.2.5
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── tokio-signal v0.2.9
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ └── tokio-process v0.2.5 (*)
07:42:47 ├── tokio-tcp v0.1.4
07:42:47 │ ├── hyper v0.12.35 (*)
07:42:47 │ └── tokio v0.1.22 (*)
07:42:47 ├── tokio-udp v0.1.6
07:42:47 │ └── tokio v0.1.22 (*)
07:42:47 └── tokio-uds v0.2.6
07:42:47 └── tokio v0.1.22 (*)
07:42:47
07:42:47 error[A001]: Buffer overflow in SmallVec::insert_many
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:187:1
07:42:47 │
07:42:47 187 │ smallvec 1.4.0 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ -------------------------------------------------------------------- security vulnerability detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2021-0003
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0003
07:42:47 = A bug in the `SmallVec::insert_many` method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.
07:42:47
07:42:47 This bug was only triggered if the iterator passed to `insert_many` yielded more items than the lower bound returned from its `size_hint` method.
07:42:47
07:42:47 The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of `insert_many` to use less unsafe code, so it is easier to verify its correctness.
07:42:47
07:42:47 Thank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.
07:42:47 = Announcement: https://github.com/servo/rust-smallvec/issues/252
07:42:47 = Solution: Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1
07:42:47 = smallvec v1.4.0
07:42:47 ├── parking_lot_core v0.7.2
07:42:47 │ └── parking_lot v0.10.2
07:42:47 │ ├── r2d2 v0.8.8
07:42:47 │ │ └── diesel v1.4.5
07:42:47 │ │ └── relayd v0.0.0-dev
07:42:47 │ └── scheduled-thread-pool v0.2.4
07:42:47 │ └── r2d2 v0.8.8 (*)
07:42:47 └── unicode-normalization v0.1.12
07:42:47 ├── idna v0.1.5
07:42:47 │ ├── cookie_store v0.7.0
07:42:47 │ │ └── reqwest v0.9.24
07:42:47 │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ └── url v1.7.2
07:42:47 │ ├── cookie v0.12.0
07:42:47 │ │ ├── cookie_store v0.7.0 (*)
07:42:47 │ │ └── reqwest v0.9.24 (*)
07:42:47 │ ├── cookie_store v0.7.0 (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── serde_urlencoded v0.5.5
07:42:47 │ └── reqwest v0.9.24 (*)
07:42:47 └── idna v0.2.0
07:42:47 ├── publicsuffix v1.5.4
07:42:47 │ └── cookie_store v0.7.0 (*)
07:42:47 └── url v2.1.1
07:42:47 ├── publicsuffix v1.5.4 (*)
07:42:47 └── serde_urlencoded v0.6.1
07:42:47 └── warp v0.1.22
07:42:47 └── relayd v0.0.0-dev (*)
07:42:47
07:42:47 warning[A003]: failure is officially deprecated/unmaintained
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:51:1
07:42:47 │
07:42:47 51 │ failure 0.1.8 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ ------------------------------------------------------------------- unmaintained advisory detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2020-0036
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0036
07:42:47 = The `failure` crate is officially end-of-life: it has been marked as deprecated
07:42:47 by the former maintainer, who has announced that there will be no updates or
07:42:47 maintenance work on it going forward.
07:42:47
07:42:47 The following are some suggested actively developed alternatives to switch to:
07:42:47
07:42:47 - [`anyhow`](https://crates.io/crates/anyhow)
07:42:47 - [`eyre`](https://crates.io/crates/eyre)
07:42:47 - [`fehler`](https://crates.io/crates/fehler)
07:42:47 - [`snafu`](https://crates.io/crates/snafu)
07:42:47 - [`thiserror`](https://crates.io/crates/thiserror)
07:42:47 = Announcement: https://github.com/rust-lang-nursery/failure/pull/347
07:42:47 = Solution: No safe upgrade is available!
07:42:47 = failure v0.1.8
07:42:47 └── cookie_store v0.7.0
07:42:47 └── reqwest v0.9.24
07:42:47 └── relayd v0.0.0-dev
07:42:47
07:42:47 warning[A003]: `net2` crate has been deprecated; use `socket2` instead
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:109:1
07:42:47 │
07:42:47 109 │ net2 0.2.34 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ ----------------------------------------------------------------- unmaintained advisory detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2020-0016
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0016
07:42:47 = The [`net2`](https://crates.io/crates/net2) crate has been deprecated
07:42:47 and users are encouraged to considered [`socket2`](https://crates.io/crates/socket2) instead.
07:42:47 = Announcement: https://github.com/deprecrated/net2-rs/commit/3350e3819adf151709047e93f25583a5df681091
07:42:47 = Solution: No safe upgrade is available!
07:42:47 = net2 v0.2.34
07:42:47 ├── hyper v0.12.35
07:42:47 │ ├── hyper-tls v0.3.2
07:42:47 │ │ └── reqwest v0.9.24
07:42:47 │ │ └── relayd v0.0.0-dev
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── warp v0.1.22
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── mio v0.6.22
07:42:47 │ ├── inotify v0.7.0
07:42:47 │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ ├── mio-named-pipes v0.1.6
07:42:47 │ │ └── tokio-process v0.2.5
07:42:47 │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ ├── mio-uds v0.6.8
07:42:47 │ │ ├── tokio-signal v0.2.9
07:42:47 │ │ │ ├── relayd v0.0.0-dev (*)
07:42:47 │ │ │ └── tokio-process v0.2.5 (*)
07:42:47 │ │ └── tokio-uds v0.2.6
07:42:47 │ │ └── tokio v0.1.22
07:42:47 │ │ ├── hyper v0.12.35 (*)
07:42:47 │ │ ├── inotify v0.7.0 (*)
07:42:47 │ │ ├── relayd v0.0.0-dev (*)
07:42:47 │ │ ├── reqwest v0.9.24 (*)
07:42:47 │ │ └── warp v0.1.22 (*)
07:42:47 │ ├── tokio v0.1.22 (*)
07:42:47 │ ├── tokio-process v0.2.5 (*)
07:42:47 │ ├── tokio-reactor v0.1.12
07:42:47 │ │ ├── hyper v0.12.35 (*)
07:42:47 │ │ ├── inotify v0.7.0 (*)
07:42:47 │ │ ├── tokio v0.1.22 (*)
07:42:47 │ │ ├── tokio-process v0.2.5 (*)
07:42:47 │ │ ├── tokio-signal v0.2.9 (*)
07:42:47 │ │ ├── tokio-tcp v0.1.4
07:42:47 │ │ │ ├── hyper v0.12.35 (*)
07:42:47 │ │ │ └── tokio v0.1.22 (*)
07:42:47 │ │ ├── tokio-udp v0.1.6
07:42:47 │ │ │ └── tokio v0.1.22 (*)
07:42:47 │ │ └── tokio-uds v0.2.6 (*)
07:42:47 │ ├── tokio-signal v0.2.9 (*)
07:42:47 │ ├── tokio-tcp v0.1.4 (*)
07:42:47 │ ├── tokio-udp v0.1.6 (*)
07:42:47 │ └── tokio-uds v0.2.6 (*)
07:42:47 └── miow v0.2.1
07:42:47 └── mio v0.6.22 (*)
07:42:47
07:42:47 warning[A004]: Type confusion if __private_get_type_id__ is overriden
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:51:1
07:42:47 │
07:42:47 51 │ failure 0.1.8 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ ------------------------------------------------------------------- unsound advisory detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2019-0036
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2019-0036
07:42:47 = Safe Rust code can implement malfunctioning `__private_get_type_id__` and cause
07:42:47 type confusion when downcasting, which is an undefined behavior.
07:42:47
07:42:47 Users who derive `Fail` trait are not affected.
07:42:47 = Announcement: https://github.com/rust-lang-nursery/failure/issues/336
07:42:47 = Solution: No safe upgrade is available!
07:42:47 = failure v0.1.8
07:42:47 └── cookie_store v0.7.0
07:42:47 └── reqwest v0.9.24
07:42:47 └── relayd v0.0.0-dev
07:42:47
07:42:47 warning[A004]: Some lock_api lock guard objects can cause data races
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:92:1
07:42:47 │
07:42:47 92 │ lock_api 0.3.4 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ -------------------------------------------------------------------- unsound advisory detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2020-0070
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0070
07:42:47 = Affected versions of lock_api had unsound implementations of the `Send` or
07:42:47 `Sync` traits for some guard objects, namely:
07:42:47
07:42:47 * MappedMutexGuard
07:42:47 * MappedRwLockReadGuard
07:42:47 * MappedRwLockWriteGuard
07:42:47 * RwLockReadGuard
07:42:47 * RwLockWriteGuard
07:42:47
07:42:47 These guards could allow data races through types that are not safe to `Send`
07:42:47 across thread boundaries in safe Rust code.
07:42:47
07:42:47 This issue was fixed by changing the trait bounds on the `Mapped` guard types
07:42:47 and removing the `Sync` trait for the `RwLock` guards.
07:42:47 = Announcement: https://github.com/Amanieu/parking_lot/pull/262
07:42:47 = Solution: Upgrade to >=0.4.2
07:42:47 = lock_api v0.3.4
07:42:47 ├── parking_lot v0.10.2
07:42:47 │ ├── r2d2 v0.8.8
07:42:47 │ │ └── diesel v1.4.5
07:42:47 │ │ └── relayd v0.0.0-dev
07:42:47 │ └── scheduled-thread-pool v0.2.4
07:42:47 │ └── r2d2 v0.8.8 (*)
07:42:47 └── parking_lot v0.9.0
07:42:47 └── tokio-reactor v0.1.12
07:42:47 ├── hyper v0.12.35
07:42:47 │ ├── hyper-tls v0.3.2
07:42:47 │ │ └── reqwest v0.9.24
07:42:47 │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── warp v0.1.22
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── inotify v0.7.0
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── tokio v0.1.22
07:42:47 │ ├── hyper v0.12.35 (*)
07:42:47 │ ├── inotify v0.7.0 (*)
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── warp v0.1.22 (*)
07:42:47 ├── tokio-process v0.2.5
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── tokio-signal v0.2.9
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ └── tokio-process v0.2.5 (*)
07:42:47 ├── tokio-tcp v0.1.4
07:42:47 │ ├── hyper v0.12.35 (*)
07:42:47 │ └── tokio v0.1.22 (*)
07:42:47 ├── tokio-udp v0.1.6
07:42:47 │ └── tokio v0.1.22 (*)
07:42:47 └── tokio-uds v0.2.6
07:42:47 └── tokio v0.1.22 (*)
07:42:47
07:42:47 warning[A004]: `miow` invalidly assumes the memory layout of std::net::SocketAddr
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:106:1
07:42:47 │
07:42:47 106 │ miow 0.2.1 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ ---------------------------------------------------------------- unsound advisory detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2020-0080
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0080
07:42:47 = The [`miow`](https://crates.io/crates/miow) crate has assumed `std::net::SocketAddrV4`
07:42:47 and `std::net::SocketAddrV6` have the same memory layout as the system C representation
07:42:47 `sockaddr`. It has simply casted the pointers to convert the socket addresses to the
07:42:47 system representation. The standard library does not say anything about the memory
07:42:47 layout, and this will cause invalid memory access if the standard library
07:42:47 changes the implementation. No warnings or errors will be emitted once the
07:42:47 change happens.
07:42:47 = Announcement: https://github.com/yoshuawuyts/miow/issues/38
07:42:47 = Solution: Upgrade to >=0.2.2 OR >=0.3.6
07:42:47 = miow v0.2.1
07:42:47 └── mio v0.6.22
07:42:47 ├── inotify v0.7.0
07:42:47 │ └── relayd v0.0.0-dev
07:42:47 ├── mio-named-pipes v0.1.6
07:42:47 │ └── tokio-process v0.2.5
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── mio-uds v0.6.8
07:42:47 │ ├── tokio-signal v0.2.9
07:42:47 │ │ ├── relayd v0.0.0-dev (*)
07:42:47 │ │ └── tokio-process v0.2.5 (*)
07:42:47 │ └── tokio-uds v0.2.6
07:42:47 │ └── tokio v0.1.22
07:42:47 │ ├── hyper v0.12.35
07:42:47 │ │ ├── hyper-tls v0.3.2
07:42:47 │ │ │ └── reqwest v0.9.24
07:42:47 │ │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ │ ├── relayd v0.0.0-dev (*)
07:42:47 │ │ ├── reqwest v0.9.24 (*)
07:42:47 │ │ └── warp v0.1.22
07:42:47 │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ ├── inotify v0.7.0 (*)
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── warp v0.1.22 (*)
07:42:47 ├── tokio v0.1.22 (*)
07:42:47 ├── tokio-process v0.2.5 (*)
07:42:47 ├── tokio-reactor v0.1.12
07:42:47 │ ├── hyper v0.12.35 (*)
07:42:47 │ ├── inotify v0.7.0 (*)
07:42:47 │ ├── tokio v0.1.22 (*)
07:42:47 │ ├── tokio-process v0.2.5 (*)
07:42:47 │ ├── tokio-signal v0.2.9 (*)
07:42:47 │ ├── tokio-tcp v0.1.4
07:42:47 │ │ ├── hyper v0.12.35 (*)
07:42:47 │ │ └── tokio v0.1.22 (*)
07:42:47 │ ├── tokio-udp v0.1.6
07:42:47 │ │ └── tokio v0.1.22 (*)
07:42:47 │ └── tokio-uds v0.2.6 (*)
07:42:47 ├── tokio-signal v0.2.9 (*)
07:42:47 ├── tokio-tcp v0.1.4 (*)
07:42:47 ├── tokio-udp v0.1.6 (*)
07:42:47 └── tokio-uds v0.2.6 (*)
07:42:47
07:42:47 warning[A004]: `net2` invalidly assumes the memory layout of std::net::SocketAddr
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:109:1
07:42:47 │
07:42:47 109 │ net2 0.2.34 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ ----------------------------------------------------------------- unsound advisory detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2020-0078
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0078
07:42:47 = The [`net2`](https://crates.io/crates/net2) crate has assumed `std::net::SocketAddrV4`
07:42:47 and `std::net::SocketAddrV6` have the same memory layout as the system C representation
07:42:47 `sockaddr`. It has simply casted the pointers to convert the socket addresess to the
07:42:47 system representation. The standard library does not say anything about the memory
07:42:47 layout, and this will cause invalid memory access if the standard library
07:42:47 changes the implementation. No warnings or errors will be emitted once the
07:42:47 change happens.
07:42:47 = Announcement: https://github.com/deprecrated/net2-rs/issues/105
07:42:47 = Solution: Upgrade to >=0.2.36
07:42:47 = net2 v0.2.34
07:42:47 ├── hyper v0.12.35
07:42:47 │ ├── hyper-tls v0.3.2
07:42:47 │ │ └── reqwest v0.9.24
07:42:47 │ │ └── relayd v0.0.0-dev
07:42:47 │ ├── relayd v0.0.0-dev (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── warp v0.1.22
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── mio v0.6.22
07:42:47 │ ├── inotify v0.7.0
07:42:47 │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ ├── mio-named-pipes v0.1.6
07:42:47 │ │ └── tokio-process v0.2.5
07:42:47 │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ ├── mio-uds v0.6.8
07:42:47 │ │ ├── tokio-signal v0.2.9
07:42:47 │ │ │ ├── relayd v0.0.0-dev (*)
07:42:47 │ │ │ └── tokio-process v0.2.5 (*)
07:42:47 │ │ └── tokio-uds v0.2.6
07:42:47 │ │ └── tokio v0.1.22
07:42:47 │ │ ├── hyper v0.12.35 (*)
07:42:47 │ │ ├── inotify v0.7.0 (*)
07:42:47 │ │ ├── relayd v0.0.0-dev (*)
07:42:47 │ │ ├── reqwest v0.9.24 (*)
07:42:47 │ │ └── warp v0.1.22 (*)
07:42:47 │ ├── tokio v0.1.22 (*)
07:42:47 │ ├── tokio-process v0.2.5 (*)
07:42:47 │ ├── tokio-reactor v0.1.12
07:42:47 │ │ ├── hyper v0.12.35 (*)
07:42:47 │ │ ├── inotify v0.7.0 (*)
07:42:47 │ │ ├── tokio v0.1.22 (*)
07:42:47 │ │ ├── tokio-process v0.2.5 (*)
07:42:47 │ │ ├── tokio-signal v0.2.9 (*)
07:42:47 │ │ ├── tokio-tcp v0.1.4
07:42:47 │ │ │ ├── hyper v0.12.35 (*)
07:42:47 │ │ │ └── tokio v0.1.22 (*)
07:42:47 │ │ ├── tokio-udp v0.1.6
07:42:47 │ │ │ └── tokio v0.1.22 (*)
07:42:47 │ │ └── tokio-uds v0.2.6 (*)
07:42:47 │ ├── tokio-signal v0.2.9 (*)
07:42:47 │ ├── tokio-tcp v0.1.4 (*)
07:42:47 │ ├── tokio-udp v0.1.6 (*)
07:42:47 │ └── tokio-uds v0.2.6 (*)
07:42:47 └── miow v0.2.1
07:42:47 └── mio v0.6.22 (*)
07:42:47
07:42:47 warning[A004]: Unaligned memory access
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:144:1
07:42:47 │
07:42:47 144 │ rand_core 0.3.1 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ --------------------------------------------------------------------- unsound advisory detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2019-0035
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2019-0035
07:42:47 = Affected versions of this crate violated alignment when casting byte slices to
07:42:47 integer slices, resulting in undefined behavior.
07:42:47
07:42:47 The flaw was corrected by Ralf Jung and Diggory Hardy.
07:42:47 = Announcement: https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06
07:42:47 = Solution: Upgrade to >=0.4.2
07:42:47 = rand_core v0.3.1
07:42:47 ├── rand_chacha v0.1.1
07:42:47 │ ├── proptest v0.9.6
07:42:47 │ │ └── (dev) relayd v0.0.0-dev
07:42:47 │ └── rand v0.6.5
07:42:47 │ ├── proptest v0.9.6 (*)
07:42:47 │ └── uuid v0.7.4
07:42:47 │ └── reqwest v0.9.24
07:42:47 │ └── relayd v0.0.0-dev (*)
07:42:47 ├── rand_hc v0.1.0
07:42:47 │ └── rand v0.6.5 (*)
07:42:47 ├── rand_isaac v0.1.1
07:42:47 │ └── rand v0.6.5 (*)
07:42:47 ├── rand_xorshift v0.1.1
07:42:47 │ ├── proptest v0.9.6 (*)
07:42:47 │ └── rand v0.6.5 (*)
07:42:47 └── rdrand v0.4.0
07:42:47 └── rand_os v0.1.3
07:42:47 └── rand v0.6.5 (*)
07:42:47
07:42:47 warning[A004]: `socket2` invalidly assumes the memory layout of std::net::SocketAddr
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:188:1
07:42:47 │
07:42:47 188 │ socket2 0.3.12 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ -------------------------------------------------------------------- unsound advisory detected
07:42:47 │
07:42:47 = ID: RUSTSEC-2020-0079
07:42:47 = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0079
07:42:47 = The [`socket2`](https://crates.io/crates/socket2) crate has assumed `std::net::SocketAddrV4`
07:42:47 and `std::net::SocketAddrV6` have the same memory layout as the system C representation
07:42:47 `sockaddr`. It has simply casted the pointers to convert the socket addresses to the
07:42:47 system representation. The standard library does not say anything about the memory
07:42:47 layout, and this will cause invalid memory access if the standard library
07:42:47 changes the implementation. No warnings or errors will be emitted once the
07:42:47 change happens.
07:42:47 = Announcement: https://github.com/rust-lang/socket2-rs/issues/119
07:42:47 = Solution: Upgrade to >=0.3.16
07:42:47 = socket2 v0.3.12
07:42:47 └── miow v0.3.3
07:42:47 └── mio-named-pipes v0.1.6
07:42:47 └── tokio-process v0.2.5
07:42:47 └── relayd v0.0.0-dev
07:42:47
07:42:47 warning[A005]: detected yanked crate
07:42:47 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:187:1
07:42:47 │
07:42:47 187 │ smallvec 1.4.0 registry+https://github.com/rust-lang/crates.io-index
07:42:47 │ -------------------------------------------------------------------- yanked version
07:42:47 │
07:42:47 = smallvec v1.4.0
07:42:47 ├── parking_lot_core v0.7.2
07:42:47 │ └── parking_lot v0.10.2
07:42:47 │ ├── r2d2 v0.8.8
07:42:47 │ │ └── diesel v1.4.5
07:42:47 │ │ └── relayd v0.0.0-dev
07:42:47 │ └── scheduled-thread-pool v0.2.4
07:42:47 │ └── r2d2 v0.8.8 (*)
07:42:47 └── unicode-normalization v0.1.12
07:42:47 ├── idna v0.1.5
07:42:47 │ ├── cookie_store v0.7.0
07:42:47 │ │ └── reqwest v0.9.24
07:42:47 │ │ └── relayd v0.0.0-dev (*)
07:42:47 │ └── url v1.7.2
07:42:47 │ ├── cookie v0.12.0
07:42:47 │ │ ├── cookie_store v0.7.0 (*)
07:42:47 │ │ └── reqwest v0.9.24 (*)
07:42:47 │ ├── cookie_store v0.7.0 (*)
07:42:47 │ ├── reqwest v0.9.24 (*)
07:42:47 │ └── serde_urlencoded v0.5.5
07:42:47 │ └── reqwest v0.9.24 (*)
07:42:47 └── idna v0.2.0
07:42:47 ├── publicsuffix v1.5.4
07:42:47 │ └── cookie_store v0.7.0 (*)
07:42:47 └── url v2.1.1
07:42:47 ├── publicsuffix v1.5.4 (*)
07:42:47 └── serde_urlencoded v0.6.1
07:42:47 └── warp v0.1.22
07:42:47 └── relayd v0.0.0-dev (*)
07:42:47
</pre>