Dependabot Alerts regarding testez #97
Description
- Data race in
IterandIterMut(Packages/_Index/evaera_promise@4.0.0/promise/modules/testez/Cargo.lock)
In the affected version of this crate, {Iter, IterMut}::next used a weaker memory ordering when loading values than what was required, exposing a potential data race
when iterating over a ThreadLocal's values.
Crates using Iter::next, or IterMut::next are affected by this issue.
- Rust's regex crate vulnerable to regular expression denial of service
(Packages/_Index/evaera_promise@4.0.0/promise/modules/testez/Cargo.lock)
The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.
This issue has been assigned https://github.com/advisories/GHSA-m5pq-gvj9-9vr8. The severity of this vulnerability is "high" when the regex crate is used to parse untrusted regexes. Other uses of the regex crate are not affected by this vulnerability.
- crossbeam-utils Race Condition vulnerability
(Packages/_Index/evaera_promise@4.0.0/promise/modules/testez/Cargo.lock)
The affected version of this crate incorrectly assumed that the alignment of {i,u}64 was always the same as Atomic{I,U}64.
However, the alignment of {i,u}64 on a 32-bit target can be smaller than Atomic{I,U}64.
This can cause the following problems:
- Unaligned memory accesses
- Data race
Dependabot can automate a pull request to fix some of these issue, but I believe this issue will continue reoccur in other versions of the package.