0.8.1 specifies deps with known vulnerabilities

[victorjulien]

0.8.1 is used by the Suricata 5.0.x stable branch. It was reported to us that there are CVEs assigned to rand_core versions used by this version of tls-parser.

Advisory: https://github.com/rust-random/rand/security/advisories/GHSA-mmc9-pwm7-qj5w

More details https://redmine.openinfosecfoundation.org/issues/4716

[victorjulien]

tls-parser 0.9.4 is used by Suricata 6. It uses rand_core 0.5.1. I don't know if this is also vulnerable.

[victorjulien]

@jasonish thinks the used versions may in fact be fine, see the suricata ticket for more details. Would love to hear if you agree.

[chifflier]

Hi @victorjulien , I believe the impact is limited: rand and rand_core are not really used by tls-parser, they are only used to generate a static hashmap of known ciphers during build (and are not used at runtime). Nevertheless, I will see for an update.

[cpu]

@chifflier I think this issue could be closed.

[chifflier]

Indeed, this issue can be closed since some time now.