fix(deps): update rust crate tokio to v1.20.4 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tokio (source)	dependencies	patch	1.20.1 -> 1.20.4

GitHub Vulnerability Alerts

CVE-2023-22466

Impact

When configuring a Windows named pipe server, setting pipe_mode will reset reject_remote_clients to false. If the application has previously configured reject_remote_clients to true, this effectively undoes the configuration. This also applies if reject_remote_clients is not explicitly set as this is the default configuration and is cleared by calling pipe_mode.

Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publically shared folder (SMB).

Patches

The following versions have been patched:

• 1.23.1
• 1.20.3
• 1.18.4

The fix will also be present in all releases starting from version 1.24.0.

Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

References

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients

GHSA-4q83-7cq4-p6wg

tokio::io::ReadHalf<T>::unsplit can violate the Pin contract

The soundness issue is described in the tokio/issues#5372

Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf)
is unusual, combined with the difficulty of making any arbitrary use-after-free
exploitable in Rust without doing a lot of careful alignment of data types in
the surrounding code.

The tokio feature io-util is also required to be enabled to trigger this
soundness issue.

Thanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e
and carllerche appropriately responding and fixing the soundness bug.

Tokio before 0.2.0 used futures 0.1 that did not have Pin, so it is not
affected by this issue.

---

Release Notes

tokio-rs/tokio (tokio)

v1.20.4

Compare Source

v1.20.3

Compare Source

v1.20.2: Tokio v1.20.2

Compare Source

1.20.2 (September 27, 2022)

This release removes the dependency on the once_cell crate to restore the MSRV of the 1.20.x LTS release. (#​5048)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating crates.io index
    Updating git repository `https://github.com/influxdata/influxdb_iox`
error: failed to get `influxdb2_client` as a dependency of package `btwattch2-collector v0.1.0 (/tmp/renovate/repos/github/sksat/btwattch2-collector)`

Caused by:
  failed to load source for dependency `influxdb2_client`

Caused by:
  Unable to update https://github.com/influxdata/influxdb_iox#35f99fe9

Caused by:
  failed to clone into: /home/ubuntu/.cargo/git/db/influxdb_iox-1b9c42dace7f47b7

Caused by:
  failed to authenticate when downloading repository

  * attempted to find username/password via git's `credential.helper` support, but failed

  if the git CLI succeeds then `net.git-fetch-with-cli` may help here
  https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli

Caused by:
  failed to acquire username/password from local configuration

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating crates.io index
    Updating git repository `https://github.com/influxdata/influxdb_iox`
remote: Repository not found.
fatal: repository 'https://github.com/influxdata/influxdb_iox/' not found
error: failed to get `influxdb2_client` as a dependency of package `btwattch2-collector v0.1.0 (/tmp/renovate/repos/github/sksat/btwattch2-collector)`

Caused by:
  failed to load source for dependency `influxdb2_client`

Caused by:
  Unable to update https://github.com/influxdata/influxdb_iox#35f99fe9

Caused by:
  failed to clone into: /home/ubuntu/.cargo/git/db/influxdb_iox-1b9c42dace7f47b7

Caused by:
  process didn't exit successfully: `git fetch --force --update-head-ok 'https://github.com/influxdata/influxdb_iox' '+35f99fe9400534fed6c148ec0d35b6435bba823e:refs/commit/35f99fe9400534fed6c148ec0d35b6435bba823e'` (exit status: 128)