Skip to content

Commit

Permalink
Auto merge of #12550 - weihanglo:CVE-2023-40030, r=epage
Browse files Browse the repository at this point in the history
changelog: add link to CVE-2023-40030

* add link to CVE-2023-40030 for 1.72
* add 🚨 emoji for all CVE entries

[Rendered](https://github.com/rust-lang/cargo/blob/4b51b27d0a2d9d0ff50e286e08747ba53cc7fb45/CHANGELOG.md)
  • Loading branch information
bors committed Aug 24, 2023
2 parents 3581425 + 4b51b27 commit 8c08800
Showing 1 changed file with 9 additions and 8 deletions.
17 changes: 9 additions & 8 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -191,10 +191,11 @@

### Changed

- ❗ Turned feature name validation check to a hard error. The warning was
added in Rust 1.49. These extended characters aren't allowed on crates.io, so
this should only impact users of other registries, or people who don't publish
to a registry.
- 🚨 [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p):
Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports.
To mitigate this, feature name validation check is now turned into a hard error.
The warning was added in Rust 1.49. These extended characters aren't allowed on crates.io,
so this should only impact users of other registries, or people who don't publish to a registry.
[#12291](https://github.com/rust-lang/cargo/pull/12291)
- Cargo now warns when an edition 2021 package is in a virtual workspace and
`workspace.resolver` is not set. It is recommended to set the resolver
Expand Down Expand Up @@ -325,7 +326,7 @@

### Fixed

- [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87):
- 🚨 [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87):
Cargo 1.71.1 or later respects umask when extracting crate archives. It also
purges the caches it tries to access if they were generated by older Cargo versions.

Expand Down Expand Up @@ -1004,7 +1005,7 @@
## Cargo 1.66.1 (2023-01-10)

### Fixed
- [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j):
- 🚨 [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j):
Added validation of SSH host keys for git URLs.
See [the docs](https://doc.rust-lang.org/cargo/appendix/git-authentication.html#ssh-known-hosts) for more information on how to configure the known host keys.

Expand Down Expand Up @@ -1230,11 +1231,11 @@

### Fixed

- [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j):
- 🚨 [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j):
Extracting malicious crates can corrupt arbitrary files.
[#11089](https://github.com/rust-lang/cargo/pull/11089)
[#11088](https://github.com/rust-lang/cargo/pull/11088)
- [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp):
- 🚨 [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp):
Extracting malicious crates can fill the file system.
[#11089](https://github.com/rust-lang/cargo/pull/11089)
[#11088](https://github.com/rust-lang/cargo/pull/11088)
Expand Down

0 comments on commit 8c08800

Please sign in to comment.