Skip to content

[Security] Bump tokio from 1.20.1 to 1.20.3

Ghost User requested to merge dependabot-cargo-tokio-1.20.3 into master

Bumps tokio from 1.20.1 to 1.20.3. This update includes a security fix.

Vulnerabilities fixed

Tokio reject_remote_clients configuration may get dropped when creating a Windows named pipe

Impact

When configuring a Windows named pipe server, setting pipe_mode will reset reject_remote_clients to false. If the application has previously configured reject_remote_clients to true, this effectively undoes the configuration. This also applies if reject_remote_clients is not explicitly set as this is the default configuration and is cleared by calling pipe_mode.

Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publically shared folder (SMB).

Patches

The following versions have been patched:

  • 1.23.1
  • 1.20.3
  • 1.18.4

The fix will also be present in all releases starting from version 1.24.0.

Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

... (truncated)

Patched versions: 1.20.3 Affected versions: >= 1.19.0, < 1.20.3

Release notes

Sourced from tokio's releases.

Tokio v1.20.2

1.20.2 (September 27, 2022)

This release removes the dependency on the once_cell crate to restore the MSRV of the 1.20.x LTS release. (#5048)

#5048: tokio-rs/tokio#5048

Commits
  • ba81945 chore: prepare Tokio 1.20.3 release
  • 763bdc9 ci: run WASI tasks using latest Rust
  • 9f98535 Merge remote-tracking branch 'origin/tokio-1.18.x' into fix-named-pipes-1.20
  • 9241c3e chore: prepare Tokio v1.18.4 release
  • 699573d net: fix named pipes server configuration builder
  • 3d95a46 chore: prepare Tokio v1.20.2 (#5055)
  • 2063d66 Merge 'tokio-1.18.3' into 'tokio-1.20.x' (#5054)
  • 5c76d07 chore: prepare Tokio v1.18.3 (#5051)
  • 05e6614 chore: don't use once_cell for 1.18.x LTS release (#5048)
  • See full diff in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports