The brotli-sys crate bundles a very old version of the brotli C library, which is susceptible to CVE-2020-8927. There is now also a RustSec advisory for brotli-sys 0.3.2 - RUSTSEC-2021-0131. The brotli library in Fedora has been updated to a version that does not have this issue long ago: https://bodhi.fedoraproject.org/updates/FEDORA-2020-c76a35b209 https://bodhi.fedoraproject.org/updates/FEDORA-2020-9336b65f82 https://bodhi.fedoraproject.org/updates/FEDORA-2020-bc9a739f0c However, the package for the brotli-sys crate bundles brotli 0.6.0, which is very very old (released on April 10, 2017). CVE entry for brotli: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8927 RustSec advisory: https://rustsec.org/advisories/RUSTSEC-2021-0131.html Upstream issue: https://github.com/bitemyapp/brotli2-rs/issues/45 There is also no mechanism in this package to build against system libbrotli, which would have prevented such a problem. Maybe optionally building with bindgen against system libbrotli can be made an option?
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36.
Since the update to actix-web v4, the package for the brotli-sys crate is unused in Fedora, except as a dependency of rust-brotli2, which is, in turn, no longer depended on by any Fedora package. I will probably retiring both of them, considering that upstream has been pretty dead since 2021, and ignoring requests to update the bundled brotli library. (c.f. https://github.com/bitemyapp/brotli2-rs/issues/45)