jeremycline / btfm Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v2.0
License: GNU General Public License v2.0
crate has been renamed to
crypto_secretbox
Details | |
---|---|
Status | unmaintained |
Package | xsalsa20poly1305 |
Version | 0.8.0 |
URL | RustCrypto/AEADs#525 |
Date | 2023-05-16 |
This crate has been forked/renamed from xsalsa20poly1305
to crypto_secretbox
.
The new repository location is at:
<https://github.com/RustCrypto/nacl-compat/tree/master/crypto_secretbox>
See advisory page for additional details.
Generators can cause data races if non-Send types are used in their generator functions
Details | |
---|---|
Package | generator |
Version | 0.6.25 |
URL | Xudong-Huang/generator-rs#27 |
Date | 2020-11-16 |
Patched versions | >=0.7.0 |
The Generator
type is an iterable which uses a generator function that yields
values. In affected versions of the crate, the provided function yielding values
had no Send
bounds despite the Generator
itself implementing Send
.
The generator function lacking a Send
bound means that types that are
dangerous to send across threads such as Rc
could be sent as part of a
generator, potentially leading to data races.
This flaw was fixed in commit f7d120a3b
by enforcing that the generator function be bound by Send
.
See advisory page for additional details.
webpki: CPU denial of service in certificate path building
Details | |
---|---|
Package | webpki |
Version | 0.22.0 |
Date | 2023-08-22 |
When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
This was previously reported in
<briansmith/webpki#69> and re-reported recently
by Luke Malinowski.
rustls-webpki
is a fork of this crate which contains a fix for this issue
and is actively maintained.
See advisory page for additional details.
ansi_term is Unmaintained
Details | |
---|---|
Status | unmaintained |
Package | ansi_term |
Version | 0.12.1 |
URL | ogham/rust-ansi-term#72 |
Date | 2021-08-18 |
The maintainer has adviced this crate is deprecated and will not
receive any maintenance.
The crate does not seem to have much dependencies and may or may not be ok to use as-is.
Last release seems to have been three years ago.
The below list has not been vetted in any way and may or may not contain alternatives;
See advisory page for additional details.
Tungstenite allows remote attackers to cause a denial of service
Details | |
---|---|
Package | tungstenite |
Version | 0.17.3 |
URL | snapview/tungstenite-rs#376 |
Date | 2023-09-25 |
Patched versions | >=0.20.1 |
The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause
a denial of service (minutes of CPU consumption) via an excessive length of an
HTTP header in a client handshake. The length affects both how many times a parse
is attempted (e.g., thousands of times) and the average amount of data for each
parse attempt (e.g., millions of bytes).
See advisory page for additional details.
steps to reproduce:
Marvin Attack: potential key recovery through timing sidechannels
Details | |
---|---|
Package | rsa |
Version | 0.9.5 |
URL | RustCrypto/RSA#19 (comment) |
Date | 2023-11-22 |
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
The only currently available workaround is to avoid using the rsa
crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
See advisory page for additional details.
Deepgram has a free API tier with https://try.deepgram.com/ and has 20 hours per month. It'd be entertaining to use that and fall back to deepspeech when the key runs out.
There are a lot of clips, but many just don't get played, because reasons. At some interval, say every few minutes, the bot should find a random clip with a low play count and play it for lulz.
right now it plays the join sound inside the function dealing with whether or not to join. Factor it out and add more event hooks (goodbye clips, etc).
For each phrase that is available, perform a lookup against a thesaurus, which will therefore greatly expand the pool of phrases, and could make the bot more funny, or just crazy, like https://www.reddit.com/r/ThesaurizeThis/
cpuid-bool
has been renamed tocpufeatures
Details | |
---|---|
Status | unmaintained |
Package | cpuid-bool |
Version | 0.2.0 |
URL | RustCrypto/utils#381 |
Date | 2021-05-06 |
Please use the `cpufeatures`` crate going forward:
<https://github.com/RustCrypto/utils/tree/master/cpufeatures>
There will be no further releases of cpuid-bool
.
See advisory page for additional details.
A single clip could be triggered by multiple configured phrases. A single phrase could randomly trigger a clip from an existing list of configured clips.
Buffer overflow due to integer overflow in
transpose
Details | |
---|---|
Package | transpose |
Version | 0.2.2 |
URL | ejmahler/transpose#11 |
Date | 2023-12-18 |
Given the function transpose::transpose
:
fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)
The safety check input_width * input_height == output.len()
can fail due to input_width * input_height
overflowing in such a way that it equals output.len()
.
As a result of failing the safety check, memory past the end of output
is written to. This only occurs in release mode since *
panics on overflow in debug mode.
Exploiting this issue requires the caller to pass input_width
and input_height
arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.
See advisory page for additional details.
Create a batch job that runs at some interval to analyze existing clips, generate text from those clips, and add that text as associated keyword/phrases to the database.
libsqlite3-sys
via C SQLite CVE-2022-35737
Details | |
---|---|
Package | libsqlite3-sys |
Version | 0.24.2 |
URL | https://nvd.nist.gov/vuln/detail/CVE-2022-35737 |
Date | 2022-08-03 |
Patched versions | >=0.25.1 |
It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf
function.
As libsqlite3-sys
bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys
was updated to bundle the patched version of SQLite here.
See advisory page for additional details.
Chance could also be increased for when a user leaves and re-joins the channel in a small window of time.
term is looking for a new maintainer
Details | |
---|---|
Status | unmaintained |
Package | term |
Version | 0.4.6 |
URL | Stebalien/term#93 |
Date | 2018-11-19 |
The author of the term
crate does not have time to maintain it and is looking
for a new maintainer.
Some maintained alternatives you can potentially switch to instead, depending
on your needs:
See advisory page for additional details.
dirs is unmaintained, use dirs-next instead
Details | |
---|---|
Status | unmaintained |
Package | dirs |
Version | 3.0.1 |
URL | https://github.com/dirs-dev/dirs-rs |
Date | 2020-10-16 |
The dirs
crate is not maintained any more;
use dirs-next
instead.
See advisory page for additional details.
Potential segfault in
localtime_r
invocations
Details | |
---|---|
Package | chrono |
Version | 0.4.19 |
URL | chronotope/chrono#499 |
Date | 2020-11-10 |
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
See advisory page for additional details.
Potential segfault in the time crate
Details | |
---|---|
Package | time |
Version | 0.1.43 |
URL | time-rs/time#293 |
Date | 2020-11-18 |
Patched versions | >=0.2.23 |
Unaffected versions | =0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6 |
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
The affected functions from time 0.2.7 through 0.2.22 are:
time::UtcOffset::local_offset_at
time::UtcOffset::try_local_offset_at
time::UtcOffset::current_local_offset
time::UtcOffset::try_current_local_offset
time::OffsetDateTime::now_local
time::OffsetDateTime::try_now_local
The affected functions in time 0.1 (all versions) are:
at
at_utc
Non-Unix targets (including Windows and wasm) are unaffected.
Pending a proper fix, the internal method that determines the local offset has been modified to always return None
on the affected operating systems. This has the effect of returning an Err
on the try_*
methods and UTC
on the non-try_*
methods.
Users and library authors with time in their dependency tree should perform cargo update
, which will pull in the updated, unaffected code.
Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3. series.
No workarounds are known.
See advisory page for additional details.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.