Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add advisory for race condition in Tokio #951

Merged
merged 6 commits into from Jul 7, 2021
Merged

Add advisory for race condition in Tokio #951

merged 6 commits into from Jul 7, 2021

Conversation

Darksonn
Copy link
Contributor

@Darksonn Darksonn commented Jul 7, 2021

@Darksonn
Copy link
Contributor Author

Darksonn commented Jul 7, 2021

Ah, I just copied the code block from the README.

@Shnatsel
Copy link
Member

Shnatsel commented Jul 7, 2021

I can't recall if I implemented the ~ operator. There's a good chance I didn't, and we might have to use a more verbose version specification if I so. I'll add it this Friday now that there is a use case for it.

@Darksonn
Copy link
Contributor Author

Darksonn commented Jul 7, 2021

It's past midnight here, so I wont be able to change the tildes until tomorrow.

@Shnatsel
Don't use tilde in version specification
fabb064 
it's not yet supported by rustsec v0.24
@Shnatsel Shnatsel merged commit 6f2157c into rustsec:main Jul 7, 2021
@Shnatsel
Copy link
Member

Shnatsel commented Jul 7, 2021

Properly implementing tildes is tricky, so I don't want to rush that. I've changed the version specification to use version ranges in the meanwhile.

@Shnatsel
Copy link
Member

Shnatsel commented Jul 7, 2021

@alex FYI this should have specified >= 1.8.1 instead of ^1.8.1, because the latter would mark 2.0.0 as vulnerable. I've fixed this on main after merging this PR.

@Shnatsel Shnatsel mentioned this pull request Jul 7, 2021
Open
@Shnatsel
Copy link
Member

Shnatsel commented Jul 7, 2021

Apologies for the inconvenience with the tilde, and thanks for reporting the issue!

To double-check, this is the list of all versions published to crates.io, and whether they're vulnerable or not according to the current version specification, ordered by upload date:

0.0.0 OK
0.1.0 OK
0.1.1 OK
0.1.2 OK
0.1.3 OK
0.1.4 OK
0.1.5 OK
0.1.6 OK
0.1.7 OK
0.1.8 OK
0.1.9 OK
0.1.10 OK
0.1.11 OK
0.1.12 OK
0.1.13 OK
0.1.14 OK
0.1.15 OK
0.1.16 OK
0.1.17 OK
0.1.18 OK
0.1.19 OK
0.1.20 OK
0.1.21 OK
0.1.22 OK
0.2.0-alpha.1 OK
0.2.0-alpha.2 OK
0.2.0-alpha.3 OK
0.2.0-alpha.4 OK
0.2.0-alpha.5 OK
0.2.0-alpha.6 OK
0.2.0 OK
0.2.1 OK
0.2.2 OK
0.2.3 OK
0.2.4 OK
0.2.5 OK
0.2.6 OK
0.2.7 OK
0.2.8 OK
0.2.9 OK
0.2.10 OK
0.2.11 OK
0.2.12 OK
0.2.13 OK
0.2.14 OK
0.2.15 OK
0.2.16 OK
0.2.17 OK
0.2.18 OK
0.2.19 OK
0.2.20 OK
0.2.21 OK
0.2.22 OK
0.3.0 vulnerable
0.3.1 vulnerable
0.3.2 vulnerable
0.3.3 vulnerable
0.2.23 OK
0.3.4 vulnerable
0.3.5 vulnerable
0.2.24 OK
0.3.6 vulnerable
1.0.0 vulnerable
1.0.1 vulnerable
1.0.2 vulnerable
1.1.0 vulnerable
0.2.25 OK
0.3.7 vulnerable
1.0.3 vulnerable
1.1.1 vulnerable
1.2.0 vulnerable
1.3.0 vulnerable
1.4.0 vulnerable
1.5.0 vulnerable
1.6.0 vulnerable
1.6.1 vulnerable
1.6.2 vulnerable
1.7.0 vulnerable
1.7.1 vulnerable
1.8.0 vulnerable
1.5.1 OK
1.6.3 OK
1.7.2 OK
1.8.1 OK

@Darksonn Darksonn deleted the tokio-3929 branch July 8, 2021 08:38
@jorgecarleitao jorgecarleitao mentioned this pull request Oct 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex alex alex approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Darksonn @Shnatsel @alex