http://bugzilla.opensuse.org/show_bug.cgi?id=1188023 Bug ID: 1188023 Summary: GNOME:Apps/fractal: Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: os.gnome.maintainers@gmail.com Reporter: william.brown@suse.com QA Contact: screening-team-bugs@suse.de Found By: --- Blocker: --- I've recently started a project to automatically scan for potential security issues in rust packages with cargo audit. I noticed the following on fractal: * RUSTSEC-2021-0026 -> crate: comrak, cvss: None, class: ['format-injection'] * RUSTSEC-2021-0063 -> crate: comrak, cvss: None, class: ['format-injection'] * RUSTSEC-2020-0060 -> crate: futures-task, cvss: None, class: ['code-execution', 'memory-corruption'] * RUSTSEC-2020-0059 -> crate: futures-util, cvss: None, class: ['thread-safety'] * RUSTSEC-2020-0146 -> crate: generic-array, cvss: None, class: ['memory-corruption'] * RUSTSEC-2021-0020 -> crate: hyper, cvss: None, class: ['format-injection'] Most of these should be able to be resolved with cargo update and re-vendoring the dependencies. Alternately upstream may have released a Cargo.toml/Cargo.lock with updates for this. It would be great if you could look into updating and resolving these :) Thank you! -- more info https://github.com/openSUSE/obs-service-cargo_audit/blob/main/README.md https://en.opensuse.org/Packaging_Rust_Software -- You are receiving this mail because: You are on the CC list for the bug.