Sergey "Shnatsel" Davidoff

Exploitability is also far from being clear-cut. For example, Microsoft has famously misjudged their use of MD5 in certificates, which turned out to be far more exploitable than it seemed....

The unsoundness deserves an advisory. Passive maintenance status is not usually something we make an advisory for; it's designed for crates with entirely unreachable maintainers.

We currently have a lot of advisories to review, so I would appreciate if you could fill out the advisory template and submit it as a PR. See https://github.com/RustSec/advisory-db/blob/master/CONTRIBUTING.md

Is the issue reported upstream? That would be the first step to fixing it.

I believe the way forward here is to report this to the upstream issue tracker. If this is by design, and they have no plans to remove the issue anytime...

ElasticSearch competitor written in Rust: https://github.com/toshi-search/Toshi

This needs to be handled with care, since it might allow [HTTP desync attacks](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) and request smuggling. @jhwgh1968 might know more about this particular case.

It is written in Rust, but uses LLVM 4.0, so it is probably not usable on latest Rust versions as-is. An for general Rust support is opened on Angora bug...

In an ideal world I'd like to toggle this behavior persistently for each fuzzing target, but unconditional `-Cpanic=abort` makes it impossible. The best way forward that I see is `--ignore-panics`...

For future reference, I currently have no plans to implement this feature by myself because use of libfuzzer in my project is blocked by #174 anyway.