rpm/arti
SHA256
1
0
Fork 0
forked from pool/arti
Code Pull Requests Activity

Add link to ignored vulns

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network/arti?expand=0&rev=8
This commit is contained in:
Eyad Issa 2023-11-14 20:25:00 +00:00 committed by Git OBS Bridge
parent ed582c3c6b
commit a1ebac571b
2 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
_service
View File

@ -15,7 +15,47 @@
<param name="srcdir">arti</param> <param name="srcdir">arti</param>
<param name="compression">zst</param> <param name="compression">zst</param>
<param name="update">true</param> <param name="update">true</param>
<!-- From
https://gitlab.torproject.org/tpo/core/arti/-/blob/58f578f9097b090b289f4ea59488044796428daf/maint/cargo_audit
-->
<!--
This is a real but theoretical unaligned read. It might happen only on
Windows and only with a custom global allocator, which we don't do in our
arti binary. The bad crate is depended on by env-logger and clap.
This is being discussed by those crates' contributors here:
https://github.com/clap-rs/clap/pull/4249
https://github.com/rust-cli/env_logger/pull/246
-->
<param name="i-accept-the-risk">RUSTSEC-2021-0145</param>
<!--
This is an API vulnerability in ed25519-dalek v1.x.x, to the
extent that it does not force you to store private and public
keys as a single keypair.
We have desigend our APIs to work around this, and believe we
are not affected. We should eventually upgrade to
ed25519-dalek >= 2, however.
-->
<param name="i-accept-the-risk">RUSTSEC-2022-0093</param> <param name="i-accept-the-risk">RUSTSEC-2022-0093</param>
<!--
This is a DOS vulnerability against rustls-webpki (only some versions)
and webpki (all versions) where some cert chains can cause
ridiculous CPU usage.
We've upgraded our rustls-webpki usage, but webpki (which is
unmaintained) is still used by tls-api, which we use from
arti-hyper.
I've opened https://github.com/stepancheg/rust-tls-api/issues/45
for this issue, but I'm not sure whether `tls-api` is maintained.
See https://gitlab.torproject.org/tpo/core/arti/-/issues/1016
-->
<param name="i-accept-the-risk">RUSTSEC-2023-0052</param>
</service> </service>
<service name="cargo_audit" mode="manual"> <service name="cargo_audit" mode="manual">
<param name="srcdir">arti</param> <param name="srcdir">arti</param>

4
vendor.tar.zst
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:6a5322875c1e187e74ed6d1f18229ccb979afdee95947c26320294c10e78f188 oid sha256:bf9b1bcb5b9222003bfb4f4abfbf0b2b6b87b6366d08596977d2a8993a456df4
size 52565982 size 52740477