Actix-web: RustSec advisory?

Created on 21 Jan 2020  路  5Comments  路  Source: actix/actix-web

I'm somewhat reluctant to ask this, but it seems like the previously diagnosed unsound usage of unsafe may deserve a RustSec advisory.

I'm curious to hear opinions on whether this particular vulnerability is security-critical, and if so, get assistance on how we should file it.

picture tarcieri

Most helpful comment

I've filed advisories for issues that were fixed in the 3.0 release:

https://rustsec.org/advisories/RUSTSEC-2020-0045.html
https://rustsec.org/advisories/RUSTSEC-2020-0046.html
https://rustsec.org/advisories/RUSTSEC-2020-0048.html
https://rustsec.org/advisories/RUSTSEC-2020-0049.html

And also one for very old actix from 2018:
https://rustsec.org/advisories/RUSTSEC-2018-0019.html
Nobody should be using that by now, but better safe than sorry.

If I've missed anything, or if I got something wrong, please let me know.

picture Shnatsel on 26 Sep 2020
👍3 👀1

All 5 comments

Where in this RustSec Vulnerability Criteria would this qualify? Is it unequivocally considered "Memory Corruption"? Reporting seems prudent if so. Even if there is ambiguity, it still may be worth at least reporting a warning advisory for the effected versions.

@actix/contributors thoughts?

Dowwie picture Dowwie on 21 Feb 2020
👍3

Seems reasonable. Better safe than sorry.

mitsuhiko picture mitsuhiko on 21 Feb 2020
👍3

It's worth making things more secure even with some performance sacrifice in order for actix-web to reach wide adoption.
better security -> wider adoption (bigger community) -> better quality (performance, security, reliability) -> :smiley:

kaushalyap picture kaushalyap on 23 Mar 2020

I think we can close this issue as at least being tracked at https://github.com/RustSec/advisory-db/issues/294. Otherwise it seems like a number of issues have been fixed and filed already, so I think we're good here.

tarcieri picture tarcieri on 26 Sep 2020
👍1

I've filed advisories for issues that were fixed in the 3.0 release:

https://rustsec.org/advisories/RUSTSEC-2020-0045.html
https://rustsec.org/advisories/RUSTSEC-2020-0046.html
https://rustsec.org/advisories/RUSTSEC-2020-0048.html
https://rustsec.org/advisories/RUSTSEC-2020-0049.html

And also one for very old actix from 2018:
https://rustsec.org/advisories/RUSTSEC-2018-0019.html
Nobody should be using that by now, but better safe than sorry.

If I've missed anything, or if I got something wrong, please let me know.

Shnatsel picture Shnatsel on 26 Sep 2020
👍3 👀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gh67uyyghj picture gh67uyyghj  路  3Comments
fafhrd91 picture fafhrd91  路  5Comments
kocoten1992 picture kocoten1992  路  3Comments
Dadibom picture Dadibom  路  4Comments
volfco picture volfco  路  4Comments