diff options
| author | Markus Pettersson <markus.pettersson@mullvad.net> | 2024-12-10 09:37:18 +0100 |
|---|---|---|
| committer | Markus Pettersson <markus.pettersson@mullvad.net> | 2024-12-10 09:37:18 +0100 |
| commit | 1cb61896d2af897a079a744fea8003a6f7f6a3f7 (patch) | |
| tree | 69d32de5e6b5535f0cb2f0124c153e06eb2b95cb | |
| parent | 534866bbd8ff9657a8ac89ed77dcb23cbe8b6d65 (diff) | |
| parent | 6022cb16ba05a460fe597f5d6edd5228879a3093 (diff) | |
| download | mullvadvpn-1cb61896d2af897a079a744fea8003a6f7f6a3f7.tar.xz mullvadvpn-1cb61896d2af897a079a744fea8003a6f7f6a3f7.zip | |
Merge branch 'silence-rustsec-2024-0421'
| -rw-r--r-- | deny.toml | 6 | ||||
| -rw-r--r-- | osv-scanner.toml | 13 | ||||
| -rw-r--r-- | test/deny.toml | 5 | ||||
| -rw-r--r-- | test/osv-scanner.toml | 13 |
4 files changed, 37 insertions, 0 deletions
@@ -28,6 +28,12 @@ yanked = "deny" ignore = [ # Ignored audit issues. This list should be kept short, and effort should be # put into removing items from the list. + + # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded + # `hickory-proto 0.24.1` uses `idna 0.4` + # `url 2.5` uses `idna 0.5.0` + # `shadowsocks 1.20.3` uses `url 2.5` + "RUSTSEC-2024-0421", ] diff --git a/osv-scanner.toml b/osv-scanner.toml index 7df9f816d2..1e23863754 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -67,3 +67,16 @@ # effectiveUntil = 2024-11-02 # reason = "The XML payload is generated by Apple tooling which we trust" # ``` + +# idna accepts Punycode labels that do not produce any non-ASCII when decoded +[[IgnoredVulns]] +id = "RUSTSEC-2024-0421" +ignoreUntil = 2025-03-09 +reason = """ +There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names +as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto` +and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not +vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues: +- https://github.com/hickory-dns/hickory-dns/issues/2206 +- https://github.com/shadowsocks/shadowsocks-rust/issues/1775 +""" diff --git a/test/deny.toml b/test/deny.toml index 4bb1b7bc73..743c19f908 100644 --- a/test/deny.toml +++ b/test/deny.toml @@ -24,6 +24,11 @@ ignore = [ # RUSTSEC-2024-0384 - `instant` is unmaintained. # `ssh2 0.9.4` uses `instant`. "RUSTSEC-2024-0384", + # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded + # `hickory-proto 0.24.1` uses `idna 0.4` + # `url 2.5` uses `idna 0.5.0` + # `shadowsocks 1.20.3` uses `url 2.5` + "RUSTSEC-2024-0421", ] diff --git a/test/osv-scanner.toml b/test/osv-scanner.toml index 7c5a285d80..f9cb8a38e7 100644 --- a/test/osv-scanner.toml +++ b/test/osv-scanner.toml @@ -12,3 +12,16 @@ a fork instead of depending on `instant`. In our tree it is `ssh2` that currentl version of `parking_lot`, preventing us from upgrading to a fixed version. This ignore can be removed when https://github.com/alexcrichton/ssh2-rs/issues/338 is resolved. """ + +# idna accepts Punycode labels that do not produce any non-ASCII when decoded +[[IgnoredVulns]] +id = "RUSTSEC-2024-0421" +ignoreUntil = 2025-03-09 +reason = """ +There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names +as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto` +and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not +vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues: +- https://github.com/hickory-dns/hickory-dns/issues/2206 +- https://github.com/shadowsocks/shadowsocks-rust/issues/1775 +""" |