Vulnerabilities

RUSTSEC-2024-0399

rustls network-reachable panic in Acceptor::accept

A bug introduced in rustls 0.23.13 leads to a panic if the received
TLS ClientHello is fragmented. Only servers that use
rustls::server::Acceptor::accept() are affected.

Servers that use tokio-rustls's LazyConfigAcceptor API are affected.

Servers that use tokio-rustls's TlsAcceptor API are not affected.

Servers that use rustls-ffi's rustls_acceptor_accept API are affected.

Warnings

RUSTSEC-2024-0388

derivative is unmaintained; consider using an alternative

The derivative crate is no longer maintained.
Consider using any alternative, for instance:

• derive_more
• derive-where
• educe

RUSTSEC-2024-0384

instant is unmaintained

This crate is no longer maintained, and the author recommends using the maintained web-time crate instead.

RUSTSEC-2024-0370

proc-macro-error is unmaintained

proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.

proc-macro-error also depends on syn 1.x, which may be bringing duplicate dependencies into dependant build trees.

Possible Alternative(s)

• manyhow
• proc-macro-error2
• proc-macro2-diagnostics

RUSTSEC-2021-0127

serde_cbor is unmaintained

The serde_cbor crate is unmaintained. The author has archived the github repository.

Alternatives proposed by the author:

• ciborium
• minicbor

Crate critical-section is yanked

No extra details provided.

Crate futures-util is yanked

No extra details provided.