Fedora: Security Advisory (FEDORA-2023-4ae90bc849)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

acme-client (>=0.1.0 <=0.2.0), aerial (=0.1.0) +690 more potentially affected by unknown CVE via hpack (>=0.2.0 <=0.3.0)

hpack CARGO version =0.2.0, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.7.0, =0.0.1, =0.1.0, =0.5.0, =0.1.3, =0.1.13 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0084...

acme-client (>=0.1.0 <=0.2.0), aerial (=0.1.0) +690 more potentially affected by unknown CVE via hpack (>=0.2.0 <=0.3.0)

hpack CARGO version =0.2.0, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.7.0, =0.0.1, =0.1.0, =0.5.0, =0.1.3, =0.1.13 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0085...

RUSTSEC-2023-0085 HPACK decoder panics on invalid input

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error. Example code that triggers this vulnerability looks like this: rust use hpack::Decoder; pub fn main let input = &0x3f; let mut decoder = Decoder::new;...

acme-rs (>=0.1.0 <=0.2.0), apkeep (>=0.6.0 <=0.13.0) +23 more potentially affected by CVE-2023-39914 via bcder (>=0.1.0 <=0.6.1)

bcder CARGO version =0.1.0, =0.1.0, =0.6.0, =0.1.0, =0.8.0, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =0.1.0, =1.0.0, =0.1.0, =0.1.0, =0.1.5, =0.3.0, =0.19.0, =0.20.0 and more Source cves: CVE-2023-39914 Source advisory: OSV:RUSTSEC-2023-0062...

Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family

A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit attributed to Bitwise Spider or Syrphid in the target network. "3AM is written in Rust...

CVE-2023-3817 affecting package rust for versions less than 1.68.2-5

CVE-2023-3817 affecting package rust for versions less than 1.68.2-5. A patched version of the package is available...

acid-store (>=0.8.0 <=0.14.2), acme-redirect (>=0.4.0 <=0.5.3) +230 more potentially affected by unknown CVE via users (>=0.10.0 <=0.11.0)

users CARGO version =0.10.0, =0.8.0, =0.4.0, =4.3.3, =0.1.0, =1.3.0, =0.9.0, =0.9.0, =0.1.0, =0.6.2, =0.9.0, =0.2.4, =1.0.1, =0.6.0, =0.26.2, =0.35.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-JCR6-4FRQ-9GJJ...

Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

Affected versions allow arbitrary caller-provided code to execute before the lifetime of main. If the caller-provided code accesses particular pieces of the standard library that require an initialized Rust runtime, such as std::io or std::thread, these may not behave as documented. Panics are...

GHSA-GHC8-5CGM-5RPF Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

Affected versions allow arbitrary caller-provided code to execute before the lifetime of main. If the caller-provided code accesses particular pieces of the standard library that require an initialized Rust runtime, such as std::io or std::thread, these may not behave as documented. Panics are...

Fails to prohibit standard library access prior to initialization of Rust standard library runtime

Affected versions allow arbitrary caller-provided code to execute before the lifetime of main. If the caller-provided code accesses particular pieces of the standard library that require an initialized Rust runtime, such as std::io or std::thread, these may not behave as documented. Panics are...

HPGO (=0.9.2), algebraics (>=0.1.2 <=0.2.0) +242 more potentially affected by unknown CVE via inventory (>=0.1.10 <=0.1.11)

inventory CARGO version =0.1.10, =0.1.2, =0.11.0, =0.2.0, =0.1.0, =0.6.0, =0.7.0, =0.6.0, =0.5.0, =0.6.0, =0.4.0, =0.6.0, =0.5.0, =0.15.3 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0057...

acct (>=0.2.0 <=0.5.0), acid-store (>=0.8.0 <=0.14.2) +278 more potentially affected by unknown CVE via users (>=0.10.0 <=0.9.1)

users CARGO version =0.10.0, =0.2.0, =0.8.0, =0.4.0, =4.1.0, =0.1.0, =1.0.0, =0.1.0, =0.9.0, =0.9.0, =0.1.0, =0.6.2, =0.9.0, =0.2.4, =0.1.0, =0.4.51 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0059...

RUSTSEC-2023-0057 Fails to prohibit standard library access prior to initialization of Rust standard library runtime

Affected versions allow arbitrary caller-provided code to execute before the lifetime of main. If the caller-provided code accesses particular pieces of the standard library that require an initialized Rust runtime, such as std::io or std::thread, these may not behave as documented. Panics are...

Amazon Linux 2 : rust (ALAS-2023-2223)

The version of rust installed on the remote host is prior to 1.68.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2223 advisory. Cargo downloads the Rust project's dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to...

Amazon Linux 2023 : cargo, clippy, rust (ALAS2023-2023-323)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-323 advisory. Cargo downloads the Rust project's dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archiv...

Important: rust

Issue Overview: Cargo downloads the Rust project's dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files...

CVE-2023-41317

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service DoS type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are...

CVE-2023-41317 Unnamed "Subscription" operation results in Denial-of-Service in apollographql/router

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service DoS type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are...

CVE-2023-41317

Summary. CVE-2023-41317 affects Apollo Router (Rust) v1.28.0, v1.28.1, and v1.29.0, where an anonymous GraphQL subscription can trigger a DoS panic if the supergraph defines a subscription type and subscriptions are enabled in config. The vulnerability requires all four conditions to be met: impa...