Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

changelog: add link to CVE-2023-40030 #12550

Merged
merged 2 commits into from
Aug 24, 2023
Merged

changelog: add link to CVE-2023-40030 #12550

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f975722
changelog: add link to CVE-2023-40030
weihanglo Aug 24, 2023
4b51b27
changelog: add 🚨 emoji for CVE entries
weihanglo Aug 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 9 additions & 8 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,10 +191,11 @@

### Changed

- ❗ Turned feature name validation check to a hard error. The warning was
added in Rust 1.49. These extended characters aren't allowed on crates.io, so
this should only impact users of other registries, or people who don't publish
to a registry.
- 🚨 [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p):
Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports.
To mitigate this, feature name validation check is now turned into a hard error.
The warning was added in Rust 1.49. These extended characters aren't allowed on crates.io,
so this should only impact users of other registries, or people who don't publish to a registry.
[#12291](https://github.com/rust-lang/cargo/pull/12291)
- Cargo now warns when an edition 2021 package is in a virtual workspace and
`workspace.resolver` is not set. It is recommended to set the resolver
Expand Down Expand Up @@ -325,7 +326,7 @@

### Fixed

- [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87):
- 🚨 [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87):
Cargo 1.71.1 or later respects umask when extracting crate archives. It also
purges the caches it tries to access if they were generated by older Cargo versions.

Expand Down Expand Up @@ -1004,7 +1005,7 @@
## Cargo 1.66.1 (2023-01-10)

### Fixed
- [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j):
- 🚨 [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j):
Added validation of SSH host keys for git URLs.
See [the docs](https://doc.rust-lang.org/cargo/appendix/git-authentication.html#ssh-known-hosts) for more information on how to configure the known host keys.

Expand Down Expand Up @@ -1230,11 +1231,11 @@

### Fixed

- [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j):
- 🚨 [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j):
Extracting malicious crates can corrupt arbitrary files.
[#11089](https://github.com/rust-lang/cargo/pull/11089)
[#11088](https://github.com/rust-lang/cargo/pull/11088)
- [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp):
- 🚨 [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp):
Extracting malicious crates can fill the file system.
[#11089](https://github.com/rust-lang/cargo/pull/11089)
[#11088](https://github.com/rust-lang/cargo/pull/11088)
Expand Down