Fedora 39 : rust-rustls-webpki (2023-4ae90bc849)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-4ae90bc849 advisory. Update to version 0.100.2. This includes a fix for RUSTSEC-2023-0053 denial-of-service via crafted certificate chains. Tenable has extracted the preceding...

Fedora 39 : firecracker / rust-aes-gcm (2023-17bdd59177)

The remote Fedora 39 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-17bdd59177 advisory. - Update the aes-gcm crate to version 0.10.3. Addresses CVE-2023-42811. - Rebuild dependent packages firecracker for aes-gcm v0.10.3...

Fedora 39 : rust-axum / rust-tokio-tungstenite / rust-tungstenite / rust-warp (2023-91a66898d2)

The remote Fedora 39 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-91a66898d2 advisory. - Update the axum crate to version 0.6.20. - Update the tokio-tungstenite crate to version 0.20.1. - Update the tungstenite crate to version 0.20.1. - Port...

Rocky Linux 8 : rust-toolset:rhel8 (RLSA-2021:1935)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:1935 advisory. - In the standard library in Rust before 1.49.0, String::retain function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when...

Fedora 39 : rust-askama / rust-askama_shared / rust-comrak (2023-aa46db07fd)

The remote Fedora 39 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-aa46db07fd advisory. - Update comrak to version 0.18.0. - Disable the unused markdown support in askama and askamashared crates, which depends on an ancient version of...

Rocky Linux 8 : rust-toolset:rhel8 (RLSA-2022:1894)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:1894 advisory. - Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG...

RUSTSEC-2023-0114 `tiny-server` was removed from crates.io for malicious code

This crate was part of a typosquatting malware cluster published by the malicious user http-tiny and contained a malware payload in build.rs to exfiltrate host information to the attacker. This advisory is to retrospectively document this attempted attack. The version information and download...

Rocky Linux 8 : rust-toolset:rhel8 (RLSA-2021:4270)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2021:4270 advisory. - library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which in so...

Malicious code in ironfish-rust-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7c72ce118b54d6f7c389cffe8b206419fdb96d698e61557ce25e5240a5ca6c38 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-8419 Malicious code in ironfish-rust-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7c72ce118b54d6f7c389cffe8b206419fdb96d698e61557ce25e5240a5ca6c38 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

tinyfiledialogs-rs Security Vulnerabilities

tinyfiledialogs-rs is a tinyfiledialog library highly bound to Rust. A security vulnerability in tinyfiledialogs-rs prior to version 3.8.0, which stems from an incomplete fix in CVE-2020-36767, allows the use of shell metacharacters in headers, messages, and other input data, leading to code...

YoroTrooper: Researchers Warn of Kazakhstan's Stealthy Cyber Espionage Group

A relatively new threat actor known as YoroTrooper is likely made up of operators originating from Kazakhstan. The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani...

CVE-2023-46135

rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.innerpayloadlen should not above 64. This vulnerability has been patched in version 0.0.8...

Code injection

rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.innerpayloadlen should not above 64. This vulnerability has been patched in version 0.0.8...

CVE-2023-46135

The CVE-2023-46135 issue affects rs-stellar-strkey, a Rust library for Stellar Strkey encoding/decoding. A panic vulnerability occurs during processing of crafted payloads where inner_payload_len should not exceed 64; this condition is the root cause described in various advisories. The vulnerabi...

CVE-2023-46135 Panic in SignedPayload::from_payload

rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.innerpayloadlen should not above 64. This vulnerability has been patched in version 0.0.8...

CVE-2023-46135 Panic in SignedPayload::from_payload

rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.innerpayloadlen should not above 64. This vulnerability has been patched in version 0.0.8...

CVE-2023-46135 Panic in SignedPayload::from_payload

rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.innerpayloadlen should not above 64. This vulnerability has been patched in version 0.0.8...

Sequential calls of encryption API (`encrypt`, `wrap`, and `dump`) result in nonce reuse

Problem: Trying to create a new encrypted message with the same cocoon object generates the same ciphertext. It mostly affects MiniCocoon and Cocoon objects with custom seeds and RNGs where StdRng is used under the hood. Note: The issue does NOT affect objects created with Cocoon::new which...

RUSTSEC-2023-0078 Potential stack use-after-free in `Instrumented::into_inner`

The implementation of the Instrumented::intoinner method in affected versions of this crate contains undefined behavior due to incorrect use of std::mem::forget The function creates const pointers to self, calls mem::forgetselfstd::mem::forget, and then moves values out of those pointers using...