[Pkg-rust-maintainers] Bug#986803: Bug#986803: CVE-2021-28875 CVE-2021-28876 CVE-2021-28877 CVE-2021-28878 CVE-2021-28879 CVE-2020-36317 CVE-2020-36318

Moritz Mühlenhoff jmm at inutil.org
Tue May 18 19:15:36 BST 2021


Sorry for the late reply, got backlogged in my inbox.

Am Mon, Apr 12, 2021 at 11:18:16AM +0100 schrieb Ximin Luo:
> It looks like these CVEs affect all versions up to 1.52 (which is not yet released).
> 
> Do you have links to patches fixing these bugs that can be backported to 1.48? We've had 1.48 for a while due to the migration freeze, and I've been informed that some rust packages in Debian break with newer versions of rustc and will need themselves to be updated - so I'd rather not force that during the freeze, I'd rather backport security fixes to 1.48.

Not sure if there are backports for 1.48, if these aren't easily
backportable, let's bullseye-ignore them for now. The next rustc update
for the subsequent Mozilla ESR will catch up with those anyway.

Cheers,
        Moritz



More information about the Pkg-rust-maintainers mailing list