diff options
Diffstat (limited to 'test')
| -rw-r--r-- | test/deny.toml | 5 | ||||
| -rw-r--r-- | test/osv-scanner.toml | 13 |
2 files changed, 18 insertions, 0 deletions
diff --git a/test/deny.toml b/test/deny.toml index 4bb1b7bc73..743c19f908 100644 --- a/test/deny.toml +++ b/test/deny.toml @@ -24,6 +24,11 @@ ignore = [ # RUSTSEC-2024-0384 - `instant` is unmaintained. # `ssh2 0.9.4` uses `instant`. "RUSTSEC-2024-0384", + # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded + # `hickory-proto 0.24.1` uses `idna 0.4` + # `url 2.5` uses `idna 0.5.0` + # `shadowsocks 1.20.3` uses `url 2.5` + "RUSTSEC-2024-0421", ] diff --git a/test/osv-scanner.toml b/test/osv-scanner.toml index 7c5a285d80..f9cb8a38e7 100644 --- a/test/osv-scanner.toml +++ b/test/osv-scanner.toml @@ -12,3 +12,16 @@ a fork instead of depending on `instant`. In our tree it is `ssh2` that currentl version of `parking_lot`, preventing us from upgrading to a fixed version. This ignore can be removed when https://github.com/alexcrichton/ssh2-rs/issues/338 is resolved. """ + +# idna accepts Punycode labels that do not produce any non-ASCII when decoded +[[IgnoredVulns]] +id = "RUSTSEC-2024-0421" +ignoreUntil = 2025-03-09 +reason = """ +There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names +as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto` +and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not +vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues: +- https://github.com/hickory-dns/hickory-dns/issues/2206 +- https://github.com/shadowsocks/shadowsocks-rust/issues/1775 +""" |
