CVE-2023-32001 affecting package rust for versions less than 1.72.0-2

CVE-2023-32001 affecting package rust for versions less than 1.72.0-2. An upgraded version of the package is available that resolves this issue...

CVE-2023-27534 affecting package rust for versions less than 1.72.0-2

CVE-2023-27534 affecting package rust for versions less than 1.72.0-2. An upgraded version of the package is available that resolves this issue...

CVE-2023-23916 affecting package rust for versions less than 1.72.0-2

CVE-2023-23916 affecting package rust for versions less than 1.72.0-2. An upgraded version of the package is available that resolves this issue...

CVE-2023-3817 affecting package rust for versions less than 1.68.2-5

CVE-2023-3817 affecting package rust for versions less than 1.68.2-5. A patched version of the package is available...

Moderate Photon OS Security Update - PHSA-2023-5.0-0067

Updates of 'rust' packages of Photon OS have been released...

USN-6275-1: Cargo vulnerability

Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If the crate would contain files writable by any user, a local attacker could possibly use this issue to execute code as another user...

UBUNTU-CVE-2023-38497

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local...

Cargo security breach

Cargo is a Rust package manager open-sourced by The Rust Programming Language. A security vulnerability exists in versions of Cargo prior to 0.72.2, which stems from the fact that on UNIX-like systems, Cargo does not take into account the umask setting when extracting crate archives...

AZL-26693 CVE-2023-29935 affecting package rust for versions less than 1.72.0-1

llvm-project commit a0138390 was discovered to contain an assertion failure at !replacements.countop && "operation was already replaced...

AZL-25811 CVE-2023-27535 affecting package rust for versions less than 1.72.0-2

An authentication bypass vulnerability exists in libcurl 8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain...

AZL-25809 CVE-2023-27536 affecting package rust for versions less than 1.72.0-2

An authentication bypass vulnerability exists libcurl 8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPTGSSAPIDELEGATION option. This vulnerability affects...

AZL-25858 CVE-2023-27537 affecting package rust for versions less than 1.72.0-2

A double free vulnerability exists in libcurl 8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread...

AZL-25808 CVE-2023-27538 affecting package rust for versions less than 1.72.0-2

An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequen...

AZL-25810 CVE-2023-27534 affecting package rust for versions less than 1.72.0-2

A path traversal vulnerability exists in curl 8.0.0 SFTP implementation causes the tilde character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can...

AZL-25709 CVE-2023-0464 affecting package rust for versions less than 1.68.0-1

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of...

AZL-13660 CVE-2023-23915 affecting package rust for versions less than 1.72.0-2

A cleartext transmission of sensitive information vulnerability exists in curl v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP...

AZL-61516 CVE-2022-31394 affecting package rust for versions less than hyper-0.14.25

Hyperium Hyper before 0.14.19 does not allow for customization of the maxheaderlistsize method in the H2 third-party software, allowing attackers to perform HTTP2 attacks...

Amazon Linux 2022 : cargo, clippy, rust (ALAS2022-2023-278)

It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2023-278 advisory. Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : rust1.66 (SUSE-SU-2023:0132-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:0132-1 advisory. - Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform...

Fedora 36 : rust (2023-575fcaf4bf)

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-575fcaf4bf advisory. Security fix for CVE-2022-46176: Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. For more details, see the...