[Pkg-rust-maintainers] Bug#988729: Bug#988729: CVE-2021-21299
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed May 19 18:39:55 BST 2021
On May 18, 2021 8:42 pm, Moritz Muehlenhoff wrote:
> Source: rust-hyper
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
> CVE-2021-21299:
> https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
> https://rustsec.org/advisories/RUSTSEC-2021-0020.html
FWIW, (rust-hyper) doesn't have any rdeps in bullseye AFAICT[1], so it
could either be ignored there or removed from bullseye without
consequences.
for bullseye+1, I plan on updating it as soon as sid is unfrozen again,
but the dependency chain needed for that update is quite big so it might
take a bit to pass through NEW etc (which was also the reason why it
didn't get updated in time pre-freeze). there are no affected rdeps in
unstable either though, as they are all using hyper as client, not
server.
1: dev/list-rdeps.sh from debcargo-conf agrees
More information about the Pkg-rust-maintainers
mailing list