chore(deps): update rust crate time to v0.3.47 [security]#1616
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
chore(deps): update rust crate time to v0.3.47 [security]#1616renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
bot
force-pushed
the
renovate/crate-time-vulnerability
branch
from
7749e1f to
4edb905
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.3.41→0.3.47GitHub Vulnerability Alerts
CVE-2026-25727
Impact
When user-provided input is provided to any type that parses with the RFC 2822 format, a Denial of Service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.
Patches
A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Workarounds
Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.
Denial of Service via Stack Exhaustion
CVE-2026-25727 / GHSA-r6v5-fh4h-64xc / RUSTSEC-2026-0009
More information
Details
Impact
When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
service attack via stack exhaustion is possible. The attack relies on formally deprecated and
rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
non-malicious input will never encounter this scenario.
Patches
A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
rather than exhausting the stack.
Workarounds
Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
the stack consumed would be at most a factor of the length of the input.
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:HReferences
This data is provided by OSV and the Rust Advisory Database (CC0 1.0).
time vulnerable to stack exhaustion Denial of Service attack
CVE-2026-25727 / GHSA-r6v5-fh4h-64xc / RUSTSEC-2026-0009
More information
Details
Impact
When user-provided input is provided to any type that parses with the RFC 2822 format, a Denial of Service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.
Patches
A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Workarounds
Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
time-rs/time (time)
v0.3.47Compare Source
Security
The possibility of a stack exhaustion denial of service attack when parsing RFC 2822 has been
eliminated. Previously, it was possible to craft input that would cause unbounded recursion. Now,
the depth of the recursion is tracked, causing an error to be returned if it exceeds a reasonable
limit.
This attack vector requires parsing user-provided input, with any type, using the RFC 2822 format.
Compatibility
error at compile time if the type being formatted does not provide sufficient information. This
would previously fail at runtime. Similarly, attempting to format a value with ISO 8601 that is
only configured for parsing (i.e.
Iso8601::PARSING) will error at compile time.Added
when done manually.
date!(2026-W01-2)is now supported. Previously, a space was required betweenWand01.[end]now has atrailing_inputmodifier which can either beprohibit(the default) ordiscard. When it isdiscard, all remaining input is ignored. Note that if there are componentsafter
[end], they will still attempt to be parsed, likely resulting in an error.Changed
Fixed
This has been fixed such that the number of bytes written is always correct.
eliminated. This would previously wrap when overflow checks were disabled. Instead of storing the
depth as
u8, it is stored asu32. This would require multiple gigabytes of nested input tooverflow, at which point we've got other problems and trivial mitigations are available by
downstream users.
v0.3.46Compare Source
Added
All possible panics are now documented for the relevant methods.
The need to use
#[serde(default)]when using customserdeformats is documented. This appliesonly when deserializing an
Option<T>.Duration::nanoseconds_i128has been made public, mirroringstd::time::Duration::from_nanos_u128.Various methods for truncating components have been added, avoiding the need to call the fallible
replacemethods multiple times.For
PrimitiveDateTime,UtcDateTime, andOffsetDateTime:truncate_to_dayFor
Time,PrimitiveDateTime,UtcDateTime, andOffsetDateTime:truncate_to_hourtruncate_to_minutetruncate_to_secondtruncate_to_millisecondtruncate_to_microsecondChanged
part of this.
error::ComponentRange, along with types that contain it, has been significantlyreduced.
Fixed
PartialOrdandOrdimplementations ofUtcOffsetnow return the expected result.v0.3.45Compare Source
Added
time::format_description::StaticFormatDescriptiontype alias for&'static [BorrowedFormatItem<'static>]. This is the type returned by thetime::macros::format_description!macro.Changed
Durationare nowconst fn.Parsedare nowconst fn.serdedependency has been replaced withserde_core, This reduces compile times by notincluding unused parts of
serde.Date::from_julian_dayuses a new algorithm, resulting in an approximately 16% performanceimprovement. This method is used internally by numerous other methods.
util::is_leap_yearuses a new algorithm, resulting in an approximately 8% performanceimprovement.
v0.3.44Compare Source
Fixed
PrimitiveDateTime,UtcDateTime, andOffsetDateTimewith differing signs (i.e.one negative and one positive year) would return the inverse result of what was expected. This was
introduced in v0.3.42 and has been fixed.
wasm-bindgenenabledserde_json.This has been fixed by explicitly specifying the type in the relevant locations.
v0.3.43Compare Source
Added
rand0.9Fixed
convertmodule, any use ofperwith types that were not the same (such asNanosecond::per(Second)) would not compile due to a bug. This has been fixed.v0.3.42Compare Source
Added
Time::duration_untilTime::duration_sinceper_tmethod for all types intime::convert. This is similar to the existingpermethod, butcan return any of the primitive numeric types that can represent the result. This will cut down on
ascasts while ensuring correctness. Type inference isn't perfect, so you may need to provide atype annotation in some situations.
impl PartialOrd for Monthandimpl Ord for Month; this assumes the months are in the same yearSystemTimeExttrait, adding methods for checked arithmetic withtime::Durationand obtainingthe difference between two
SystemTimes as atime::DurationUtcDateTimewithrand(this was inadvertently omitted previously)impl core::error::Errorfor all error types (now available when thestdfeature is disabled)thread-safe.
#[track_caller]has been added to all relevant methods.Changed
itoahas been removed, as the standard library now has similar functionalityby default.
deterministic, avoiding any subtle differences between platforms or compiler versions.
Fixed
Previously, it could be off by one nanosecond due to floating point imprecision.
OffsetDateTime::to_offsetandUtcDateTime::to_offsethas beenfixed. The bug could result in a value that was invalid. It was unlikely to ever occur in
real-world code, as it involved passing a UTC offset that has never been used in any location.
Miscellaneous
typical use cases of
format_description!.Time,PrimitiveDateTime,UtcDateTime, andOffsetDateTime. The first three have gains of approximately 85% (i.e. 6× faster).#[inline].Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone Europe/Berlin.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.