diff options
| author | Markus Pettersson <markus.pettersson@mullvad.net> | 2024-12-10 09:37:18 +0100 |
|---|---|---|
| committer | Markus Pettersson <markus.pettersson@mullvad.net> | 2024-12-10 09:37:18 +0100 |
| commit | 1cb61896d2af897a079a744fea8003a6f7f6a3f7 (patch) | |
| tree | 69d32de5e6b5535f0cb2f0124c153e06eb2b95cb /test | |
| parent | 534866bbd8ff9657a8ac89ed77dcb23cbe8b6d65 (diff) | |
| parent | 6022cb16ba05a460fe597f5d6edd5228879a3093 (diff) | |
| download | mullvadvpn-1cb61896d2af897a079a744fea8003a6f7f6a3f7.tar.xz mullvadvpn-1cb61896d2af897a079a744fea8003a6f7f6a3f7.zip | |
Merge branch 'silence-rustsec-2024-0421'
Diffstat (limited to 'test')
| -rw-r--r-- | test/deny.toml | 5 | ||||
| -rw-r--r-- | test/osv-scanner.toml | 13 |
2 files changed, 18 insertions, 0 deletions
diff --git a/test/deny.toml b/test/deny.toml index 4bb1b7bc73..743c19f908 100644 --- a/test/deny.toml +++ b/test/deny.toml @@ -24,6 +24,11 @@ ignore = [ # RUSTSEC-2024-0384 - `instant` is unmaintained. # `ssh2 0.9.4` uses `instant`. "RUSTSEC-2024-0384", + # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded + # `hickory-proto 0.24.1` uses `idna 0.4` + # `url 2.5` uses `idna 0.5.0` + # `shadowsocks 1.20.3` uses `url 2.5` + "RUSTSEC-2024-0421", ] diff --git a/test/osv-scanner.toml b/test/osv-scanner.toml index 7c5a285d80..f9cb8a38e7 100644 --- a/test/osv-scanner.toml +++ b/test/osv-scanner.toml @@ -12,3 +12,16 @@ a fork instead of depending on `instant`. In our tree it is `ssh2` that currentl version of `parking_lot`, preventing us from upgrading to a fixed version. This ignore can be removed when https://github.com/alexcrichton/ssh2-rs/issues/338 is resolved. """ + +# idna accepts Punycode labels that do not produce any non-ASCII when decoded +[[IgnoredVulns]] +id = "RUSTSEC-2024-0421" +ignoreUntil = 2025-03-09 +reason = """ +There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names +as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto` +and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not +vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues: +- https://github.com/hickory-dns/hickory-dns/issues/2206 +- https://github.com/shadowsocks/shadowsocks-rust/issues/1775 +""" |
