CVE-2020-26235 advisory for indirect time 0.1 dependency

[josecelano]

We use the chrono package, which uses the time package. The time package has a vulnerability.

Vulnerabilities: GHSA-wcg3-cvx6-7396
Latest version: https://crates.io/crates/chrono (0.4.24)
Time 0.1.45 is deprecated: https://crates.io/crates/time/0.1.45

They (chrono) plan to release a new version, but the vulnerability was reported on Nov 18, 2020.

More info:

• Latest release 0.4.24 uses time:0.1.45 which has some vulnerabilities chronotope/chrono#1015
• CVE-2020-26235 advisory for time 0.1 dependency chronotope/chrono#602

Maybe we could try to disable some features to remove the dependency with the vulnerability.

[josecelano]

I've just tried to remove all features from chrono package except the clock.

chrono = { version = "0.4.24", default-features = false, features = ["clock"] }

And then, I updated dependencies with cargo update. The mysql_common library also uses it, but it's the newer version which is not affected.

$ cargo tree --invert time
time v0.3.20
└── mysql_common v0.29.2
    └── mysql v23.0.1
        └── r2d2_mysql v23.0.0
            └── torrust-tracker v3.0.0-alpha.2 (/home/josecelano/Documents/github/committer/me/torrust/torrust-tracker)