In-tree libraries vulnerable to RUSTSEC-2023-0052 due to jsonrpsee

[kayabaNerve]

Is there an existing issue?

• I have searched the existing issues

Experiencing problems? Have you tried our Stack Exchange first?

• This is not a support question.

Description of bug

jsonrpsee (currently 0.16) pulls in a variety of legacy networking crates, including ones vulnerable to RUSTSEC-2023-0052. AFAICT, updating to 0.20 updates everything (or almost everything) in the dependency tree from webpki to rustls-webpki, resolving the RUSTSEC (and also modernizing the tree in generally).

I did try to perform the work locally, yet the amount of changes to the subscription API made me realize I could not do a proper job within a reasonable amount of time due to my unfamiliarity with the codebase in question.

Apologies if this isn't optimally filed.

Steps to reproduce

No response

[ggwpez]

cc @niklasad1
There is a MR open here paritytech/substrate#14771, but no integration work so far.

[ggwpez]

The bump bot actually claims that this closes the problem for us paritytech/substrate#14812

certificate path building and verification is now capped at 100 signature validation operations to avoid the risk of CPU usage denial-of-service attack when validating crafted certificate chains producing quadratic runtime. This risk affected both clients, as well as servers that verified client certificates.

[niklasad1]

There is an open PR for jsonrpsee bump paritytech/substrate#13992 but we have discovered a few regressions, it's on our radar.

FWIW, it just the jsonrpsee client that is concerned by this issue and I think bumping the rustls-webpki should do it.

[kayabaNerve]

Sorry for missing the PRs, and thanks for clarifying it's the client code alone.

0.16 uses webpki, which doesn't have a bump available, not rustls-webpki hence the issue (though again, I do hear that's just for the client code which I'm unsure if it impacts this repo directly).

[niklasad1]

It doesn't impact the substrate node (the RPC server) but there are some "tools" in the substrate repo that are using jsonrpsee client.

[niklasad1]

I'll fix this issue on jsonrpsee v0.16 as well

[kayabaNerve]

Much appreciated! Thank you for the patch release!

[niklasad1]

Closed by the jsonrpsee patch release v0.16.3