Potential vulnerability due to quinn-proto dependency crate #3
Labels
bug
Something isn't working
Comments
YuanYuYuan
pushed a commit
that referenced
this issue
Mar 29, 2024
…-pool Improve the drop of ZRUNTIME_POOL
|
@oteffahi Is this issue still relevant? |
|
@wyfo We're still using that version of the crate; so the issue is still relevant. |
|
Should we move it to the origin repository? |
|
We shouldn't put security vulnerabilities in the spotlight before we resolve them 😅 |
|
@gabrik can we bump Quinn? |
sure, but I think it will have a impact on the QUIC transport, as there have been API changes in quinn, so it is not just a bump of the crate |
Mouais... |
|
Fixed by updating crate version in eclipse-zenoh#1086 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Code audit shows potential vulnerability from the quinn-proto dependency crate. Receiving QUIC frames containing a frame with unknown frame type could lead to a panic.
Details are:
Crate: quinn-proto
Version: 0.10.4
Title: Denial of service in Quinn servers
Date: 2023-09-21
ID: RUSTSEC-2023-0063
URL: https://rustsec.org/advisories/RUSTSEC-2023-0063
Severity: 7.5 (high)
Solution: Upgrade to ^0.9.5 OR >=0.10.5
To reproduce
NA
System info
NA
The text was updated successfully, but these errors were encountered: