Merge branch 'silence-rustsec-2024-0421'

mullvad · Dec 10, 2024 · 1cb6189 · 1cb6189
2 parents 534866b + 6022cb1
commit 1cb6189
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 0 deletions.
diff --git a/deny.toml b/deny.toml
@@ -28,6 +28,12 @@ yanked = "deny"
 ignore = [
     # Ignored audit issues. This list should be kept short, and effort should be
     # put into removing items from the list.
+
+    # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
+    # `hickory-proto 0.24.1` uses `idna 0.4`
+    # `url 2.5` uses `idna 0.5.0`
+    # `shadowsocks 1.20.3` uses `url 2.5`
+    "RUSTSEC-2024-0421",
 ]
 
 

diff --git a/osv-scanner.toml b/osv-scanner.toml
@@ -67,3 +67,16 @@
 # effectiveUntil = 2024-11-02
 # reason = "The XML payload is generated by Apple tooling which we trust"
 # ```
+
+# idna accepts Punycode labels that do not produce any non-ASCII when decoded
+[[IgnoredVulns]]
+id = "RUSTSEC-2024-0421"
+ignoreUntil = 2025-03-09
+reason = """
+There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names
+as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto`
+and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not
+vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues:
+- https://github.com/hickory-dns/hickory-dns/issues/2206
+- https://github.com/shadowsocks/shadowsocks-rust/issues/1775
+"""
diff --git a/test/deny.toml b/test/deny.toml
@@ -24,6 +24,11 @@ ignore = [
     # RUSTSEC-2024-0384 - `instant` is unmaintained.
     # `ssh2 0.9.4` uses `instant`.
     "RUSTSEC-2024-0384",
+    # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
+    # `hickory-proto 0.24.1` uses `idna 0.4`
+    # `url 2.5` uses `idna 0.5.0`
+    # `shadowsocks 1.20.3` uses `url 2.5`
+    "RUSTSEC-2024-0421",
 ]
 
 

diff --git a/test/osv-scanner.toml b/test/osv-scanner.toml
@@ -12,3 +12,16 @@ a fork instead of depending on `instant`. In our tree it is `ssh2` that currentl
 version of `parking_lot`, preventing us from upgrading to a fixed version. This ignore can be removed when
 https://github.com/alexcrichton/ssh2-rs/issues/338 is resolved.
 """
+
+# idna accepts Punycode labels that do not produce any non-ASCII when decoded
+[[IgnoredVulns]]
+id = "RUSTSEC-2024-0421"
+ignoreUntil = 2025-03-09
+reason = """
+There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names
+as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto`
+and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not
+vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues:
+- https://github.com/hickory-dns/hickory-dns/issues/2206
+- https://github.com/shadowsocks/shadowsocks-rust/issues/1775
+"""