[Pkg-rust-maintainers] Bug#1060861: RUSTSEC-2023-0078
Moritz Muehlenhoff
jmm at inutil.org
Tue Jan 16 13:13:35 GMT 2024
On Mon, Jan 15, 2024 at 09:10:57PM +0100, Salvatore Bonaccorso wrote:
> Hi Moritz,
>
> On Mon, Jan 15, 2024 at 08:49:04PM +0100, Moritz Muehlenhoff wrote:
> > Source: rust-tracing
> > Version: 0.1.37-1
> > Severity: important
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> >
> > https://rustsec.org/advisories/RUSTSEC-2023-0078.html
> > https://github.com/tokio-rs/tracing/pull/2765
> > Fixed by: https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721 (tracing-0.1.40)
>
> Please double-check but I think no Debian released version was ever
> affected. The issue is fixed in 0.1.40 already upstream, with the
> above commit (backed by
> https://rustsec.org/advisories/RUSTSEC-2023-0078.html). The issue on
> the other hand is introduced in
> https://github.com/tokio-rs/tracing/commit/3a65354837a0f176178e15787fc700dd6fa11a92
> which is first in 0.1.38.
>
> In unstable we ever had only 0.1.37-1, then moved to 0.1.40-1.
That's in fact true! Still let's update to the latest release anyway.
Cheers,
Moritz
More information about the Pkg-rust-maintainers
mailing list