Just woke up to 5 vulnerability alerts (4 high severity) of the openSSL Rust crate. Now I'm even more thankful we've made the switch to rustls in lychee. I've only seen advantages so far. The transition was totally smooth, and now we have faster, more stable and apparently more secure TLS.
Thank you @djc, @ctz et al. for this amazing piece of software!
@decathorpe Hmm I still see them as high severity, but not sure how easy it is to exploit them in the real world.
As far as I understand many of the vulnerabilities are caused by FFI and incorrect pointer logic, after all the library is just bindings for OpenSSL. rustls in contrast is a full Rust implementation reducing the need for unsafe code and raw pointers, which reduces the probability of such bugs greatly.
@thomas_zahner by "downgraded from high to medium" I meant that the original screenshot you included from the GitHub UI shows them as "high" but now that same page lists them as "medium":
@thomas_zahner I'm not sure what you mean?
they were classified as "high" initially but are "medium" now. so it looks like the severity for those GHSAs was just adjusted down after you made your screenshot.
Thomas Zahner
Fabio Valentini