RUSTSEC-2020-0159: Potential segfault in localtime_r invocations

[github-actions]

Potential segfault in localtime_r invocations

Details
Package	chrono
Version	0.4.19
URL	chronotope/chrono#499
Date	2020-11-10

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

• time-rs/time#293

See advisory page for additional details.

[kate-goldenring]

See background from #398 (comment)

[github-actions]

Issue has been automatically marked as stale due to inactivity for 90 days. Update the issue to remove label, otherwise it will be automatically closed.

[kate-goldenring]

still active when run cargo audit locally but it looks like kube-rs took steps to mitigate using vulnerable features of chrono kube-rs/kube#650

[Ragnyll]

This is the comment i was referencing in todays meeting saying that it might not affect this. chronotope/chrono#578 (comment)

I'll need to remind myself what this means in reference to kube-rs though. i may be wrong here.

[kate-goldenring]

This is the comment i was referencing in todays meeting saying that it might not affect this. chronotope/chrono#578 (comment)

I'll need to remind myself what this means in reference to kube-rs though. i may be wrong here.

Thanks. Looks like once chrono removes dependency on time and kube-rs uses the latest chrono, this will go away

[github-actions]

Issue has been automatically marked as stale due to inactivity for 90 days. Update the issue to remove label, otherwise it will be automatically closed.

[github-actions]

Issue has been automatically marked as stale due to inactivity for 90 days. Update the issue to remove label, otherwise it will be automatically closed.