Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2020-0071 and 'chrono' dependency #21

Closed
damccull opened this issue Oct 18, 2021 · 7 comments
Closed

RUSTSEC-2020-0071 and 'chrono' dependency #21

damccull opened this issue Oct 18, 2021 · 7 comments

Comments

@damccull
Copy link

Hello,

Apparently the 'chrono' crate still includes its 'oldtime' feature as a default, which depends on an old version of the 'time' crate (v0.1.43) that has a vulnerability in it.
https://rustsec.org/advisories/RUSTSEC-2020-0071.html

For my own projects, I disable chrono's default features, then manually include all of the defaults except for 'oldtime', which is what the readme on chrono's repo recommends.

However, pulling in serde_aux seems to bring in chrono with the 'default' features selected, including 'oldtime'.

Any chance you could remove the 'oldtime' feature from your dependency on chrono to avoid this CVE in downstream projects?
@iddm
Copy link
Owner

iddm commented Oct 18, 2021

Thanks for noticing this! I will be unable to change anything for a week from now, but after this I'll do that.

@iddm
Copy link
Owner

iddm commented Oct 25, 2021

I have just specified the features I need by explicitly mentioning them in my Cargo.toml:

[dependencies.chrono]
optional = true
version = "0.4"
features = ["alloc", "std", "clock"]

Is this enough? Or do I still need to specify no-default-features?

@damccull
Copy link
Author

Your also need to specify no-default-features because the "oldtime" feature is currently a default one, apparently for backwards compatibility.

@iddm
Copy link
Owner

iddm commented Oct 25, 2021

Should be done now.

@damccull
Copy link
Author

Neat. Thank you. What release shall we expect to see it in?

@iddm
Copy link
Owner

iddm commented Oct 25, 2021 via email

@damccull
Copy link
Author

👍

This was referenced Feb 13, 2023
Closed
Closed
Closed
Open
@github-actions github-actions bot mentioned this issue Feb 22, 2023
Open
This was referenced Mar 1, 2023
Closed
Open
This was referenced Mar 10, 2023
Open
Closed
@github-actions github-actions bot mentioned this issue Mar 18, 2023
Open
This was referenced Apr 3, 2023
Closed
Open
Open
Closed
This was referenced Apr 12, 2023
Closed
Closed
Closed
Closed
Open
This was referenced Apr 23, 2023
Closed
Closed
Closed
@github-actions github-actions bot mentioned this issue Apr 24, 2023
Closed
This was referenced May 5, 2023
Closed
Closed
This was referenced May 22, 2023
Closed
Open
@github-actions github-actions bot mentioned this issue Jun 3, 2023
Closed
This was referenced Jul 3, 2023
Closed
Closed
@github-actions github-actions bot mentioned this issue Jul 13, 2023
Open
This was referenced Jul 22, 2023
Closed
Closed
Closed
This was referenced Aug 5, 2023
Closed
Closed
Open
This was referenced Aug 12, 2023
Closed
Closed
Closed
This was referenced Aug 21, 2023
Open
Open
Closed
@github-actions github-actions bot mentioned this issue Aug 31, 2023
Closed
@github-actions github-actions bot mentioned this issue Sep 12, 2023
Closed
@github-actions github-actions bot mentioned this issue Nov 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@damccull @iddm