SUSE has issued an advisory today (September 28): https://lists.suse.com/pipermail/sle-security-updates/2022-September/012440.html The issues are fixed upstream in 1.64.0: https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.64.0Whiteboard: (none) => MGA8TOO
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4Y2GQ3KKHNMQQ5UVVE7ZY3R7TP3MA5MD/
Cauldron already has 1.64.0.
Version: Cauldron => 8Source RPM: rust-1.63.0-1.mga9.src.rpm => rust-1.60.0-1.mga8Whiteboard: MGA8TOO => (none)
Fedora has issued an advisory on January 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FVEI4CC7IBADIPB4HSLIYEX2LBAP5TC3/ The issue is fixed upstream in 1.66.1: https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOVersion: 8 => CauldronStatus comment: Fixed upstream in 1.64.0 => Fixed upstream in 1.66.1Severity: normal => major
Summary: rust new security issues CVE-2022-3611[34] => rust new security issues CVE-2022-3611[34] and CVE-2022-46176
*** Bug 31393 has been marked as a duplicate of this bug. ***
CC: (none) => nicolas.salguero
(In reply to David Walser from comment #3) > Fedora has issued an advisory on January 13: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/FVEI4CC7IBADIPB4HSLIYEX2LBAP5TC3/ > > The issue is fixed upstream in 1.66.1: > https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j > > Mageia 8 is also affected. Another reference: https://www.openwall.com/lists/oss-security/2023/01/10/3
Pushed rust-1.66.1-mga9 to Cauldron. Now for Mageia 8, it's a bit trickier. We currently have rust 1.60.0 there. CVE-2022-3611[34] seem fairly trivial to backport, but CVE-2022-46176 is much more complex and requires updating a bunch of vendored crates. I don't trust it would apply _at all_ on anything else than 1.66.0. Patches in https://github.com/rust-lang/wg-security-response/tree/main/patches So either we leave it unfixed (seems to be the Debian strategy), or we have to do the full update to 1.66.1 in Mageia 8 (which means building successively 1.61, 1.62, 1.63, 1.64, 1.65 and then 1.66.1, hoping that it plays well with the packages we have in Mageia 8... it's a lot of work).
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
SUSE fixed CVE-2022-46176 for rust 1.65. I don't know if that helps: https://lists.suse.com/pipermail/sle-security-updates/2023-January/013517.html
If we update rust, we need to rebuild cargo-c with the updated rust: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OLQEJPETSSBCHSDHX4JDMLCD2MMBG5SR/
Blocks: (none) => 32394
Badly needed for Firefox, which is EOL, security risk! Bug 32394 - Backport Firefox 115 for Mageia 8 If we decide to not fix this, that also means not updating Firefox, which mean we do have to tell users officially to get new Firefox from upstream or as Flatpak. (Unless there is another way to get mga8 package Firefox updated)
CC: (none) => friPriority: Normal => High
I don't have time to work on it, updating rust in Mageia 8 all the way to 1.66.0 would take a lot of time and effort, and backporting the patches would similarly be difficult. Mageia 8 EOL can't arrive soon enough...
Mageia 8 EOL
Resolution: (none) => OLDStatus: NEW => RESOLVED