Add a cargo-audit exception for RUSTSEC-2023-0052

We've solved this for rustls-webpki, but tls-api (which arti-hyper uses) still requires the unmaintained webpki crate. See #1016.
2023-08-22 10:00:02 -04:00 · 2023-08-22 10:00:02 -04:00 · 55bc297704
parent 15bde8568c
commit 55bc297704
1 changed files with 13 additions and 0 deletions
--- a/maint/cargo_audit
+++ b/maint/cargo_audit
@ -28,6 +28,19 @@ IGNORE=(
    # are not affected.  We should eventually upgrade to
    # ed25519-dalek >= 2, however.
    --ignore RUSTSEC-2022-0093
+    # This is a DOS vulnerability against rustls-webpki (only some versions)
+    # and webpki (all versions) where some cert chains can cause
+    # ridiculous CPU usage.
+    #
+    # We've upgraded our rustls-webpki usage, but webpki (which is
+    # unmaintained) is still used by tls-api, which we use from
+    # arti-hyper.
+    #
+    # I've opened https://github.com/stepancheg/rust-tls-api/issues/45
+    # for this issue, but I'm not sure whether `tls-api` is maintained.
+    #
+    # See https://gitlab.torproject.org/tpo/core/arti/-/issues/1016
+    --ignore RUSTSEC-2023-0052
 )

 ${CARGO:-cargo} audit -D warnings "${IGNORE[@]}"