[go: up one dir, main page]

Deps.rs

hifitime 3.9.0

[![dependency status](https://deps.rs/crate/hifitime/3.9.0/status.svg)](https://deps.rs/crate/hifitime/3.9.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate hifitime

Dependencies

(12 total, 4 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 der^0.7.80.7.10up to date
 js-sys^0.30.3.83up to date
 lexical-core^0.8.51.0.6out of date
 num-traits^0.2.150.2.19up to date
 openssl ⚠️^0.100.10.75maybe insecure
 pyo3 ⚠️^0.20.00.27.2out of date
 reqwest^0.110.12.25out of date
 serde^1.0.1551.0.228up to date
 serde_derive^1.0.1551.0.228up to date
 tabled^0.15.00.20.0out of date
 wasm-bindgen^0.20.2.106up to date
 web-sys^0.30.3.83up to date

Dev dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 criterion^0.5.10.8.1out of date
 iai^0.10.1.1up to date
 serde_json^1.0.911.0.145up to date

Security Vulnerabilities

pyo3: Risk of buffer overflow in `PyString::from_object`

RUSTSEC-2025-0020

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

openssl: Use-After-Free in `Md::fetch` and `Cipher::fetch`

RUSTSEC-2025-0022

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.