http://bugzilla.opensuse.org/show_bug.cgi?id=1188022 Bug ID: 1188022 Summary: mozilla:Factory/mozjs78: cargo audit, may need to update and re-vendor Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: wolfgang@rosenauer.org Reporter: william.brown@suse.com QA Contact: screening-team-bugs@suse.de Found By: --- Blocker: --- Hi there, I've recently started a project to scan rust projects with cargo-audit for potential known security issues. The following was found in mozjs78: * RUSTSEC-2021-0067 -> crate: cranelift-codegen, cvss: None, class: ['code-execution', 'memory-corruption', 'memory-exposure'] * RUSTSEC-2020-0060 -> crate: futures-task, cvss: None, class: ['code-execution', 'memory-corruption'] * RUSTSEC-2020-0061 -> crate: futures-task, cvss: None, class: ['denial-of-service'] * RUSTSEC-2020-0059 -> crate: futures-util, cvss: None, class: ['thread-safety'] * RUSTSEC-2020-0146 -> crate: generic-array, cvss: None, class: ['memory-corruption'] * RUSTSEC-2021-0020 -> crate: hyper, cvss: None, class: ['format-injection'] * RUSTSEC-2020-0004 -> crate: lucet-runtime-internals, cvss: None, class: ['memory-corruption', 'memory-exposure'] * RUSTSEC-2020-0082 -> crate: ordered-float, cvss: None, class: [] * RUSTSEC-2021-0013 -> crate: raw-cpuid, cvss: None, class: ['memory-corruption', 'denial-of-service'] * RUSTSEC-2021-0003 -> crate: smallvec, cvss: None, class: ['memory-corruption'] * RUSTSEC-2020-0043 -> crate: ws, cvss: None, class: ['denial-of-service'] Most of these should be able to be resolved with "cargo update" and re-vendoring your vendor.tar. Alternately upstream may have released updates to their Cargo.toml/Cargo.lock that may resolve these on an update. It would be great if you could have a look at these! -- You are receiving this mail because: You are on the CC list for the bug.