gnosis/lighthouse
1
0
Fork 0
mirror of https://github.com/sigp/lighthouse.git synced 2026-05-07 08:52:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update zeroize_derive (#2625)

Browse Source 
## Issue Addressed

NA

## Proposed Changes

As `cargo audit` astutely pointed out, the version of `zeroize_derive` were were using had a vulnerability:

```
Crate:         zeroize_derive
Version:       1.1.0
Title:         `#[zeroize(drop)]` doesn't implement `Drop` for `enum`s
Date:          2021-09-24
ID:            RUSTSEC-2021-0115
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0115
Solution:      Upgrade to >=1.2.0
```

This PR updates `zeroize` and `zeroize_derive` to appease `cargo audit`.

`tiny-bip39` was also updated to allow compile.

## Additional Info

I don't believe this vulnerability actually affected the Lighthouse code-base directly. However, `tiny-bip39` may have been affected which may have resulted in some uncleaned memory in Lighthouse. Whilst this is not ideal, it's not a major issue. Zeroization is a nice-to-have since it only protects from sophisticated attacks or attackers that already have a high level of access already.
This commit is contained in:
Paul Hauner
2021-09-25 05:58:37 +00:00
parent fe52322088
commit 924a1345b1
7 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/eth2_key_derivation/Cargo.toml
View File

@@ -8,7 +8,7 @@ edition = "2018"
[dependencies]
sha2 = "0.9.1"
zeroize = { version = "1.1.1", features = ["zeroize_derive"] }
zeroize = { version = "1.4.2", features = ["zeroize_derive"] }
num-bigint-dig = { version = "0.6.0", features = ["zeroize"] }
ring = "0.16.19"
bls = { path = "../bls" }