CVE-2024-43402 was announced here: https://www.openwall.com/lists/oss-security/2024/09/04/3
Status comment: (none) => Fixed upstream in 1.81.0Whiteboard: (none) => MGA9TOOSource RPM: (none) => rust-1.78.0-1.mga10.src.rpm, rust-1.76.0-1.1.mga9.src.rpmCVE: (none) => CVE-2024-43402
We do no longer have a registered rust maintainer, so assigning to all packagers collectively. However, neoclust pushed a lot of rust packages recently, so CC'ing him.
Assignee: bugsquad => pkg-bugsURL: (none) => https://www.openwall.com/lists/oss-security/2024/09/04/3CC: (none) => mageia, marja11
Fixed in Cauldron.
Whiteboard: MGA9TOO => (none)Source RPM: rust-1.78.0-1.mga10.src.rpm, rust-1.76.0-1.1.mga9.src.rpm => rust-1.76.0-1.1.mga9.src.rpmVersion: Cauldron => 9
In dev list Remi says the new versions of rust require new llvm
Depends on: (none) => 33322
I see 1.76 in testing repo, find no related bug, think it should be purged to save substantial storage pace. llvm19 is building (iteratively...) so soon new rust can be built.
CC: (none) => fri
(In reply to Morgan Leijström from comment #4) > I see 1.76 in testing repo, find no related bug, think it should be purged > to save substantial storage pace. > > llvm19 is building (iteratively...) so soon new rust can be built. Rust need N-1 version to build N version, so this need to be kept to build 1.77 and the chain follow until we can reach the last rust version
llvm19 built successfully. Upping priority as updated rust is needed for building optimal versions of Firefox and Thunderbird.
Severity: normal => majorPriority: Normal => High
llvm19 is too new for rust 1.76. I will try to rebuild llvm17-suite for all arches to build at least rust 1.76 and, then, use llvm19-suite to build Firefox and Thunderbird.
Rust 1.76 was successfully built with llvm17-suite except for armv7hl. Since it is not a mandatory arch, let's build Firefox and Thunderbird, at least for the three mandatory arches.
Yes it is important to get the security updates out for mandatory arches.
(In reply to Nicolas Salguero from comment #8) > Rust 1.76 was successfully built with llvm17-suite except for armv7hl. > > Since it is not a mandatory arch, let's build Firefox and Thunderbird, at > least for the three mandatory arches. Rust 1.76 is now also built for armv7hl in mga9 core/updates_testing.
Can rust 1.76 be moved to updates? Chromium M130 does not compile with rust 1.74 from updates while it does build with rust 1.76 currently in updates_testing.
CC: (none) => cjw
It doesn't fix this vulnerability, so it can't be with this bug, but if you file a new bug for it (and assign it to QA), it should be able to be validated immediately, since things have already been built with it (tbh it should have been pushed when it was used to build FF, IINM).
(In reply to David Walser from comment #12) > (tbh it should have been pushed when it was used to build FF, IINM). Yes, sorry, I forgot to add it with the previous Firefox update. I will add it to Firefox 128.4 update.
2024-11-09, Bug 33713 - Firefox 128.4 FIXED, with rust 1.76 packages, got moved to updates repo. Why is there 130+ packages rust-* in /core/updates_testing/ From 2024-09-04 and -05 ?
(In reply to Morgan Leijström from comment #14) > 2024-11-09, Bug 33713 - Firefox 128.4 FIXED, with rust 1.76 packages, > got moved to updates repo. > > Why is there 130+ packages rust-* in /core/updates_testing/ > From 2024-09-04 and -05 ? Are from other src.rpm not included in firefox advisory rust-bindgen-0.69.4-1.mga9.src.rpm rust-bitflags1-1.3.2-2.mga9.src.rpm rust-cbindgen-0.26.0-0.1.mga9.src.rpm rust-clap3-3.2.25-2.mga9.src.rpm rust-env_logger0.7-0.7.1-2.mga9.src.rpm rust-filetime-0.2.23-1.mga9.src.rpm rust-fxhash-0.2.1-0.1.mga9.src.rpm rust-humantime1-1.3.0-1.mga9.src.rpm rust-indexmap1-1.9.3-0.1.mga9.src.rpm rust-itertools0.10-0.10.5-1.mga9.src.rpm rust-libc-0.2.155-1.mga9.src.rpm rust-log0.3-0.3.9-0.1.mga9.src.rpm rust-proc-macro2-1.0.86-1.mga9.src.rpm rust-quickcheck0.9-0.9.2-0.1.mga9.src.rpm rust-seahash3-3.0.7-0.1.mga9.src.rpm rust-serial_test0.5-0.5.1-1.mga9.src.rpm rust-serial_test_derive0.5-0.5.1-0.1.mga9.src.rpm rust-syn1-1.0.109-1.mga9.src.rpm rust-tar-0.4.40-1.mga9.src.rpm rust-textwrap-0.16.0-1.mga9.src.rpm rust-textwrap0.11-0.11.0-1.mga9.src.rpm rust-toml0.4-0.4.10-0.1.mga9.src.rpm rust-toml0.5-0.5.11-1.mga9.src.rpm rust-xattr-1.0.1-1.mga9.src.rpm If is fine move that packages to updates we need a bug for them
(In reply to Christiaan Welvaart from comment #11) > Can rust 1.76 be moved to updates? Chromium M130 does not compile with rust > 1.74 from updates while it does build with rust 1.76 currently in > updates_testing. Another issue to build new chromium? the requested packages is now in updates, did you require other of the rust packages in testing?