| Summary: | rust new security issues CVE-2022-3611[34] and CVE-2022-46176 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Rémi Verschelde <rverschelde> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | High | CC: | fri, nicolas.salguero |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | rust-1.60.0-1.mga8 | CVE: | |
| Status comment: | Fixed upstream in 1.66.1 | ||
| Bug Depends on: | |||
| Bug Blocks: | 32394 | ||
|
Description
David Walser
2022-09-28 19:53:27 CEST
David Walser
2022-09-28 19:53:36 CEST
Status comment:
(none) =>
Fixed upstream in 1.64.0 Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4Y2GQ3KKHNMQQ5UVVE7ZY3R7TP3MA5MD/ Cauldron already has 1.64.0. Version:
Cauldron =>
8 Fedora has issued an advisory on January 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FVEI4CC7IBADIPB4HSLIYEX2LBAP5TC3/ The issue is fixed upstream in 1.66.1: https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j Mageia 8 is also affected. Whiteboard:
(none) =>
MGA8TOO
David Walser
2023-01-18 00:32:32 CET
Summary:
rust new security issues CVE-2022-3611[34] =>
rust new security issues CVE-2022-3611[34] and CVE-2022-46176 (In reply to David Walser from comment #3) > Fedora has issued an advisory on January 13: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/FVEI4CC7IBADIPB4HSLIYEX2LBAP5TC3/ > > The issue is fixed upstream in 1.66.1: > https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j > > Mageia 8 is also affected. Another reference: https://www.openwall.com/lists/oss-security/2023/01/10/3 Pushed rust-1.66.1-mga9 to Cauldron. Now for Mageia 8, it's a bit trickier. We currently have rust 1.60.0 there. CVE-2022-3611[34] seem fairly trivial to backport, but CVE-2022-46176 is much more complex and requires updating a bunch of vendored crates. I don't trust it would apply _at all_ on anything else than 1.66.0. Patches in https://github.com/rust-lang/wg-security-response/tree/main/patches So either we leave it unfixed (seems to be the Debian strategy), or we have to do the full update to 1.66.1 in Mageia 8 (which means building successively 1.61, 1.62, 1.63, 1.64, 1.65 and then 1.66.1, hoping that it plays well with the packages we have in Mageia 8... it's a lot of work). Whiteboard:
MGA8TOO =>
(none) SUSE fixed CVE-2022-46176 for rust 1.65. I don't know if that helps: https://lists.suse.com/pipermail/sle-security-updates/2023-January/013517.html If we update rust, we need to rebuild cargo-c with the updated rust: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OLQEJPETSSBCHSDHX4JDMLCD2MMBG5SR/
Morgan Leijström
2023-11-11 01:01:12 CET
Blocks:
(none) =>
32394 Badly needed for Firefox, which is EOL, security risk! Bug 32394 - Backport Firefox 115 for Mageia 8 If we decide to not fix this, that also means not updating Firefox, which mean we do have to tell users officially to get new Firefox from upstream or as Flatpak. (Unless there is another way to get mga8 package Firefox updated) CC:
(none) =>
fri I don't have time to work on it, updating rust in Mageia 8 all the way to 1.66.0 would take a lot of time and effort, and backporting the patches would similarly be difficult. Mageia 8 EOL can't arrive soon enough... Mageia 8 EOL Resolution:
(none) =>
OLD |