From f975722a0eac934c0722f111f107c4ea2f5c4365 Mon Sep 17 00:00:00 2001 From: Weihang Lo Date: Thu, 24 Aug 2023 18:14:15 +0100 Subject: [PATCH 1/2] changelog: add link to CVE-2023-40030 --- CHANGELOG.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d4e6ed886e..843eb27eef0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -191,10 +191,11 @@ ### Changed -- ❗ Turned feature name validation check to a hard error. The warning was - added in Rust 1.49. These extended characters aren't allowed on crates.io, so - this should only impact users of other registries, or people who don't publish - to a registry. +- [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p): + Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports. + To mitigate this, feature name validation check is now turned into a hard error. + The warning was added in Rust 1.49. These extended characters aren't allowed on crates.io, + so this should only impact users of other registries, or people who don't publish to a registry. [#12291](https://github.com/rust-lang/cargo/pull/12291) - Cargo now warns when an edition 2021 package is in a virtual workspace and `workspace.resolver` is not set. It is recommended to set the resolver From 4b51b27d0a2d9d0ff50e286e08747ba53cc7fb45 Mon Sep 17 00:00:00 2001 From: Weihang Lo Date: Thu, 24 Aug 2023 18:21:43 +0100 Subject: [PATCH 2/2] =?UTF-8?q?changelog:=20add=20=F0=9F=9A=A8=20emoji=20f?= =?UTF-8?q?or=20CVE=20entries?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 843eb27eef0..ccbb40f2488 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -191,7 +191,7 @@ ### Changed -- [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p): +- 🚨 [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p): Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports. To mitigate this, feature name validation check is now turned into a hard error. The warning was added in Rust 1.49. These extended characters aren't allowed on crates.io, @@ -326,7 +326,7 @@ ### Fixed -- [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87): +- 🚨 [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87): Cargo 1.71.1 or later respects umask when extracting crate archives. It also purges the caches it tries to access if they were generated by older Cargo versions. @@ -1005,7 +1005,7 @@ ## Cargo 1.66.1 (2023-01-10) ### Fixed -- [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j): +- 🚨 [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j): Added validation of SSH host keys for git URLs. See [the docs](https://doc.rust-lang.org/cargo/appendix/git-authentication.html#ssh-known-hosts) for more information on how to configure the known host keys. @@ -1231,11 +1231,11 @@ ### Fixed -- [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j): +- 🚨 [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j): Extracting malicious crates can corrupt arbitrary files. [#11089](https://github.com/rust-lang/cargo/pull/11089) [#11088](https://github.com/rust-lang/cargo/pull/11088) -- [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp): +- 🚨 [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp): Extracting malicious crates can fill the file system. [#11089](https://github.com/rust-lang/cargo/pull/11089) [#11088](https://github.com/rust-lang/cargo/pull/11088)