Addressing RUSTSEC-2023-0029

[christopinka]

cargo deny is giving me below report. Is there a plan for a fix?

error[vulnerability]: TLS certificate common name validation bypass ┌─ /home/ctopinka1/git-test/di-apps/Cargo.lock:167:1 │ 167 │ nats 0.24.0 registry+https://github.com/rust-lang/crates.io-index │ ----------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2023-0029 = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0029 = The NATS official Rust clients are vulnerable to MitM when using TLS.

  A fix for the `nats` crate hasn't been released yet. Since the `nats` crate
  is going to be deprecated anyway, consider switching to `async-nats` `>= 0.29`
  which already fixed this vulnerability.
  
  The common name of the server's TLS certificate is validated against
  the `host`name provided by the server's plaintext `INFO` message
  during the initial connection setup phase. A MitM proxy can tamper with
  the `host` field's value by substituting it with the common name of a
  valid certificate it controls, fooling the client into accepting it.
  
  ## Reproduction steps
  
  1. The NATS Rust client tries to establish a new connection
  2. The connection is intercepted by a MitM proxy
  3. The proxy makes a separate connection to the NATS server
  4. The NATS server replies with an `INFO` message
  5. The proxy reads the `INFO`, alters the `host` JSON field and passes
     the tampered `INFO` back to the client
  6. The proxy upgrades the client connection to TLS, presenting a certificate issued
     by a certificate authority present in the client's keychain.
     In the previous step the `host` was set to the common name of said certificate
  7. `rustls` accepts the certificate, having verified that the common name matches the
     attacker-controlled value it was given
  9. The client has been fooled by the MitM proxy into accepting the attacker-controlled certificate
= Solution: No safe upgrade is available!
= nats v0.24.0
  ├── coordination-service v0.0.1
  │   └── di-app v0.3.0
  ├── cvr v0.1.0
  │   └── di-app v0.3.0 (*)
  └── microgrid-controller v0.2.0
      └── di-app v0.3.0 (*)

[barafael]

@christopinka the nats crate mentioned in the header is unmaintained