diff options
| author | Markus Pettersson <markus.pettersson@mullvad.net> | 2024-12-10 18:17:38 +0100 |
|---|---|---|
| committer | Markus Pettersson <markus.pettersson@mullvad.net> | 2024-12-11 13:26:28 +0100 |
| commit | 24c602a92103265dc8a372fa3c2557d6f8ead9d4 (patch) | |
| tree | 181742c3947588ba2d424a87aa260c2557dc0780 | |
| parent | fc6921b7174c8c661251bb23914ca04eb460efc1 (diff) | |
| download | mullvadvpn-24c602a92103265dc8a372fa3c2557d6f8ead9d4.tar.xz mullvadvpn-24c602a92103265dc8a372fa3c2557d6f8ead9d4.zip | |
Revert "Silence `RUSTSEC-2024-0421`"
This reverts commit 6022cb16ba05a460fe597f5d6edd5228879a3093.
| -rw-r--r-- | deny.toml | 6 | ||||
| -rw-r--r-- | osv-scanner.toml | 13 | ||||
| -rw-r--r-- | test/deny.toml | 5 | ||||
| -rw-r--r-- | test/osv-scanner.toml | 13 |
4 files changed, 0 insertions, 37 deletions
@@ -28,12 +28,6 @@ yanked = "deny" ignore = [ # Ignored audit issues. This list should be kept short, and effort should be # put into removing items from the list. - - # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded - # `hickory-proto 0.24.1` uses `idna 0.4` - # `url 2.5` uses `idna 0.5.0` - # `shadowsocks 1.20.3` uses `url 2.5` - "RUSTSEC-2024-0421", ] diff --git a/osv-scanner.toml b/osv-scanner.toml index 1e23863754..7df9f816d2 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -67,16 +67,3 @@ # effectiveUntil = 2024-11-02 # reason = "The XML payload is generated by Apple tooling which we trust" # ``` - -# idna accepts Punycode labels that do not produce any non-ASCII when decoded -[[IgnoredVulns]] -id = "RUSTSEC-2024-0421" -ignoreUntil = 2025-03-09 -reason = """ -There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names -as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto` -and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not -vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues: -- https://github.com/hickory-dns/hickory-dns/issues/2206 -- https://github.com/shadowsocks/shadowsocks-rust/issues/1775 -""" diff --git a/test/deny.toml b/test/deny.toml index 743c19f908..4bb1b7bc73 100644 --- a/test/deny.toml +++ b/test/deny.toml @@ -24,11 +24,6 @@ ignore = [ # RUSTSEC-2024-0384 - `instant` is unmaintained. # `ssh2 0.9.4` uses `instant`. "RUSTSEC-2024-0384", - # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded - # `hickory-proto 0.24.1` uses `idna 0.4` - # `url 2.5` uses `idna 0.5.0` - # `shadowsocks 1.20.3` uses `url 2.5` - "RUSTSEC-2024-0421", ] diff --git a/test/osv-scanner.toml b/test/osv-scanner.toml index f9cb8a38e7..7c5a285d80 100644 --- a/test/osv-scanner.toml +++ b/test/osv-scanner.toml @@ -12,16 +12,3 @@ a fork instead of depending on `instant`. In our tree it is `ssh2` that currentl version of `parking_lot`, preventing us from upgrading to a fixed version. This ignore can be removed when https://github.com/alexcrichton/ssh2-rs/issues/338 is resolved. """ - -# idna accepts Punycode labels that do not produce any non-ASCII when decoded -[[IgnoredVulns]] -id = "RUSTSEC-2024-0421" -ignoreUntil = 2025-03-09 -reason = """ -There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names -as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto` -and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not -vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues: -- https://github.com/hickory-dns/hickory-dns/issues/2206 -- https://github.com/shadowsocks/shadowsocks-rust/issues/1775 -""" |