Fix RUSTSEC-2021-0131 when it's fixed in actix-web

[ncloudioj]

This CVE was introduced by actix-web and was temporarily ignored by #287. We should fix it by updating actix-web once it gets fixed there (actix/actix-web#2538).

[robjtede]

Just to check, you folks need it backporting to v3 or no?

[ncloudioj]

Hi @robjtede, thanks for reaching out!

Just to check, you folks need it backporting to v3 or no?

We use actix-web v4 for this project. However, we do use v3 for another project.

@pjenvey @jrconlin Are we planning on upgrading actix-web for Contile at some point?

[jrconlin]

We use actix for a number of projects, including syncstorage, autopush, channelserver and contile. All are planned to move to Actix 4 (once Actix 4 stable is released), and all have likewise included the ignore. It really depends on how critical a vulnerability this fix is and how soon Actix 4 will reach stable.

Of course, even after Actix4 is released, there will have to be some time to update each of these packages, which means that they may be similarly vulnerable, so again, it depends on how critical this fix is to the Actix framework.

[robjtede]

I think the near-term timeline on v4 stable is favorable towards this issue. In the meantime, the quick fix for silencing the advisory on v3 projects is disabling the feature flag for brotli.

I'm willing to help expedite updating projects to v4 after its release to get brotli support back if you choose to disable it.

[robjtede]

I decided to backport the fix after all. A cargo update will get you actix-http v2.2.2 which switches the brotli backend to brotli.

[jrconlin]

Awesome! Thanks!