SUSE has issued an advisory on November 15: https://lists.suse.com/pipermail/sle-security-updates/2022-November/012931.html The CVE is actually in rust, so I'm guessing it needs to be fixed there and then 389-ds-base needs to be recompiled with that update. If this CVE has already been fixed in our rust, then the last 389-ds-base update we did should be good.
CC: (none) => nicolas.salguero, rverschelde
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZWHM3NVX2ER6EG5E2T2KWUBDPCGYBLYI/
Hi, That CVE affects tokio but 389-ds-base-1.4.0.26 does not seem to use that crate but another one: rsds. Best regards, Nico.
Does this mean that this is not relevant to Mageia? If so, can it be closed 'invalid'? Await luigi's response.
CC: (none) => lewyssmith
Has our rust package fixed this issue?
I cannot find any package named tokio or rust-tokio.
Duplicate of bug 30001? (In reply to David Walser from comment #4) > Has our rust package fixed this issue? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45710: > An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption. Both rust-1.60.0-1.mga8 and rust-1.65.0-1.mga9 use tokio 1.8.4 as a vendored crate, so it should be fine.
Thanks.
Resolution: (none) => INVALIDStatus: NEW => RESOLVED