Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump hashbrown@0.15.0 to 0.15.1 to fix vuln #8315

Merged
merged 1 commit into from
Dec 4, 2024
Merged

Bump hashbrown@0.15.0 to 0.15.1 to fix vuln #8315

merged 1 commit into from
Dec 4, 2024

Conversation

grtlr
Copy link
Contributor

@grtlr grtlr commented Dec 4, 2024

What

Fixes CI problems (https://github.com/rerun-io/rerun/actions/runs/12160549310/job/33913118372?pr=8313):

error[vulnerability]: Borsh serialization of HashMap is non-canonical
    ┌─ /home/runner/work/rerun/rerun/Cargo.lock:225:1
    │
225 │ hashbrown 0.15.0 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2024-0402
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0402
    ├ The borsh serialization of the HashMap did not follow the borsh specification.
      It potentially produced non-canonical encodings dependent on insertion order.
      It also did not perform canonicty checks on decoding.
      
      This can result in consensus splits and cause equivalent objects to be
      considered distinct.
      
      This was patched in 0.15.1.

@grtlr grtlr requested a review from emilk December 4, 2024 13:37
@grtlr grtlr added the exclude from changelog PRs with this won't show up in CHANGELOG.md label Dec 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 4, 2024
edited
Loading

Web viewer built successfully. If applicable, you should also test it:

  • I have tested the web viewer
Result Commit Link
0afae56 https://rerun.io/viewer/pr/8315

Note: This comment is updated whenever you push a commit.

@grtlr grtlr merged commit ecfd356 into main Dec 4, 2024
33 of 34 checks passed
@grtlr grtlr deleted the grtlr/bump-hashbrown branch December 4, 2024 13:54
grtlr added a commit that referenced this pull request Dec 4, 2024
@grtlr
Bump hashbrown@0.15.0 to 0.15.1 to fix vuln (#8315)
bbc845c 
### What

Fixes CI problems
(https://github.com/rerun-io/rerun/actions/runs/12160549310/job/33913118372?pr=8313):

```
error[vulnerability]: Borsh serialization of HashMap is non-canonical
    ┌─ /home/runner/work/rerun/rerun/Cargo.lock:225:1
    │
225 │ hashbrown 0.15.0 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2024-0402
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0402
    ├ The borsh serialization of the HashMap did not follow the borsh specification.
      It potentially produced non-canonical encodings dependent on insertion order.
      It also did not perform canonicty checks on decoding.
      
      This can result in consensus splits and cause equivalent objects to be
      considered distinct.
      
      This was patched in 0.15.1.
```



<!--
Make sure the PR title and labels are set to maximize their usefulness
for the CHANGELOG,
and our `git log`.

If you have noticed any breaking changes, include them in the migration
guide.

We track various metrics at <https://build.rerun.io>.

For maintainers:
* To run all checks from `main`, comment on the PR with `@rerun-bot
full-check`.
* To deploy documentation changes immediately after merging this PR, add
the `deploy docs` label.
-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emilk emilk emilk approved these changes

Assignees
No one assigned
Labels
exclude from changelog PRs with this won't show up in CHANGELOG.md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@grtlr @emilk