gnosis/lighthouse
1
0
Fork 0
mirror of https://github.com/sigp/lighthouse.git synced 2026-05-07 16:55:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update zeroize_derive (#2625)

Browse Source 
## Issue Addressed

NA

## Proposed Changes

As `cargo audit` astutely pointed out, the version of `zeroize_derive` were were using had a vulnerability:

```
Crate:         zeroize_derive
Version:       1.1.0
Title:         `#[zeroize(drop)]` doesn't implement `Drop` for `enum`s
Date:          2021-09-24
ID:            RUSTSEC-2021-0115
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0115
Solution:      Upgrade to >=1.2.0
```

This PR updates `zeroize` and `zeroize_derive` to appease `cargo audit`.

`tiny-bip39` was also updated to allow compile.

## Additional Info

I don't believe this vulnerability actually affected the Lighthouse code-base directly. However, `tiny-bip39` may have been affected which may have resulted in some uncleaned memory in Lighthouse. Whilst this is not ideal, it's not a major issue. Zeroization is a nice-to-have since it only protects from sophisticated attacks or attackers that already have a high level of access already.
This commit is contained in:
Paul Hauner
2021-09-25 05:58:37 +00:00
parent fe52322088
commit 924a1345b1
7 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/account_utils/Cargo.toml
View File

@@ -11,7 +11,7 @@ rand = "0.7.3"
eth2_wallet = { path = "../../crypto/eth2_wallet" }
eth2_keystore = { path = "../../crypto/eth2_keystore" }
filesystem = { path = "../filesystem" }
zeroize = { version = "1.1.1", features = ["zeroize_derive"] }
zeroize = { version = "1.4.2", features = ["zeroize_derive"] }
serde = "1.0.116"
serde_derive = "1.0.116"
serde_yaml = "0.8.13"