I'm writing an app in Rust that uses a PostgreSQL client connection pool with Chrono (0.4.22) features for date time calculations. So my Cargo.toml has these lines:
[dependencies]
postgres = {version = "0.19", features = ["with-chrono-0_4"]}
chrono = "0.4"
chrono-tz = "0.6"
But after running cargo audit it seems Cargo Chrono is using and old version (0.1.44) of the time crate, causing a vulnerability report on RUSTSEC-2020-0071:
# cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 458 security advisories (from /root/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (138 crate dependencies)
Crate: time
Version: 0.1.44
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
According to the URL, the severity scores a CVSS score of 6.2 - MEDIUM. The issue is discussed on GitHub: https://github.com/chronotope/chrono/issues/602
"Due to compatibility reasons, this release does not yet remove the time 0.1 dependency, though chrono 0.4.20 does not depend on the vulnerable parts of the time 0.1.x versions. In a future 0.5 release, we will remove the time dependency."
Does this mean I can safely ignore this particular output of cargo audit ?
UPDATE: I ran cargo update and chrono is at version 0.4.22, it is still using time version 0.1.44. I want to assume that the GitHub quote is completely valid and it should be all I need when I send this info in an audit report.
You need to disable the default feature oldtime of chrono in Cargo.toml:
chrono = { version = "0.4.22", default-features = false }