-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
time/iana-time-zone 0.1.45 suffer from CVE-2020-26235 #1002
Comments
|
This is about time, not iana-time-zone. See #602. |
|
#602 (comment) |
In any case, looks like the best solution (which is what many others are doing) is to simply not use chrono. |
I mean, you could certainly use time. But also know that the advisory is actually irrelevant here -- chrono does not use the vulnerable parts of the time 0.1.45 package, so there's actually no issue here. Unfortunately due to compatibility issues we cannot just easily drop it. |
Yes, i understand the advisory does not apply. |
@djc if this CVE does not affect chrono, should it be added to Lines 5 to 10 in daa86a7
|
@mickvangelderen - I believe this will only stop the warning in our own CI runs, but not in others |
The iana-time-zone dependency on fixed version 0.1.45 makes it impossible to fix CVE-2020-26235
The text was updated successfully, but these errors were encountered: