[gentoo-announce] [ GLSA 202210-09 ] Rust: Multiple Vulnerabilities - gentoo-announce

From:	glsamaker@g.o
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202210-09 ] Rust: Multiple Vulnerabilities
Date:	Sun, 16 Oct 2022 14:49:21
Message-Id:	`166593139568.9.15702200025302466596@90bb6a0775af`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202210-09

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Rust: Multiple Vulnerabilities

9

     Date: October 16, 2022

10

     Bugs: #870166, #831638, #821157, #807052, #782367

11

       ID: 202210-09

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been discovered in Rust, the worst of

19

which could result in denial of service.

20

21

Background

22

==========

23

24

A systems programming language that runs blazingly fast, prevents

25

segfaults, and guarantees thread safety.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-lang/rust              < 1.63.0-r1              >= 1.63.0-r1

34

  2  dev-lang/rust-bin          < 1.64.0                    >= 1.64.0

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in Rust. Please review the

40

CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

Please review the referenced CVE identifiers for details.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All Rust users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=dev-lang/rust-1.63.0-r1"

59

60

All Rust binary users should upgrade to the latest version:

61

62

  # emerge --sync

63

  # emerge --ask --oneshot --verbose ">=dev-lang/rust-bin-1.64.0"

64

65

In addition, users using Portage 3.0.38 or later should ensure that

66

packages with Rust binaries have no vulnerable code statically linked

67

into their binaries by rebuilding the @rust-rebuild set:

68

69

  # emerge --ask --oneshot --verbose @rust-rebuild

70

71

References

72

==========

73

74

[ 1 ] CVE-2021-28875

75

      https://nvd.nist.gov/vuln/detail/CVE-2021-28875

76

[ 2 ] CVE-2021-28876

77

      https://nvd.nist.gov/vuln/detail/CVE-2021-28876

78

[ 3 ] CVE-2021-28877

79

      https://nvd.nist.gov/vuln/detail/CVE-2021-28877

80

[ 4 ] CVE-2021-28878

81

      https://nvd.nist.gov/vuln/detail/CVE-2021-28878

82

[ 5 ] CVE-2021-28879

83

      https://nvd.nist.gov/vuln/detail/CVE-2021-28879

84

[ 6 ] CVE-2021-29922

85

      https://nvd.nist.gov/vuln/detail/CVE-2021-29922

86

[ 7 ] CVE-2021-31162

87

      https://nvd.nist.gov/vuln/detail/CVE-2021-31162

88

[ 8 ] CVE-2021-36317

89

      https://nvd.nist.gov/vuln/detail/CVE-2021-36317

90

[ 9 ] CVE-2021-36318

91

      https://nvd.nist.gov/vuln/detail/CVE-2021-36318

92

[ 10 ] CVE-2021-42574

93

      https://nvd.nist.gov/vuln/detail/CVE-2021-42574

94

[ 11 ] CVE-2021-42694

95

      https://nvd.nist.gov/vuln/detail/CVE-2021-42694

96

[ 12 ] CVE-2022-21658

97

      https://nvd.nist.gov/vuln/detail/CVE-2022-21658

98

[ 13 ] CVE-2022-36113

99

      https://nvd.nist.gov/vuln/detail/CVE-2022-36113

100

[ 14 ] CVE-2022-36114

101

      https://nvd.nist.gov/vuln/detail/CVE-2022-36114

102

103

Availability

104

============

105

106

This GLSA and any updates to it are available for viewing at

107

the Gentoo Security Website:

108

109

 https://security.gentoo.org/glsa/202210-09

110

111

Concerns?

112

=========

113

114

Security is a primary focus of Gentoo Linux and ensuring the

115

confidentiality and security of our users' machines is of utmost

116

importance to us. Any security concerns should be addressed to

117

security@g.o or alternatively, you may file a bug at

118

https://bugs.gentoo.org.

119

120

License

121

=======

122

123

Copyright 2022 Gentoo Foundation, Inc; referenced text

124

belongs to its owner(s).

125

126

The contents of this document are licensed under the

127

Creative Commons - Attribution / Share Alike license.

128

129

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202210-09
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Rust: Multiple Vulnerabilities
9	Date: October 16, 2022
10	Bugs: #870166, #831638, #821157, #807052, #782367
11	ID: 202210-09
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been discovered in Rust, the worst of
19	which could result in denial of service.
20
21	Background
22	==========
23
24	A systems programming language that runs blazingly fast, prevents
25	segfaults, and guarantees thread safety.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-lang/rust < 1.63.0-r1 >= 1.63.0-r1
34	2 dev-lang/rust-bin < 1.64.0 >= 1.64.0
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in Rust. Please review the
40	CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	Please review the referenced CVE identifiers for details.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All Rust users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=dev-lang/rust-1.63.0-r1"
59
60	All Rust binary users should upgrade to the latest version:
61
62	# emerge --sync
63	# emerge --ask --oneshot --verbose ">=dev-lang/rust-bin-1.64.0"
64
65	In addition, users using Portage 3.0.38 or later should ensure that
66	packages with Rust binaries have no vulnerable code statically linked
67	into their binaries by rebuilding the @rust-rebuild set:
68
69	# emerge --ask --oneshot --verbose @rust-rebuild
70
71	References
72	==========
73
74	[ 1 ] CVE-2021-28875
75	https://nvd.nist.gov/vuln/detail/CVE-2021-28875
76	[ 2 ] CVE-2021-28876
77	https://nvd.nist.gov/vuln/detail/CVE-2021-28876
78	[ 3 ] CVE-2021-28877
79	https://nvd.nist.gov/vuln/detail/CVE-2021-28877
80	[ 4 ] CVE-2021-28878
81	https://nvd.nist.gov/vuln/detail/CVE-2021-28878
82	[ 5 ] CVE-2021-28879
83	https://nvd.nist.gov/vuln/detail/CVE-2021-28879
84	[ 6 ] CVE-2021-29922
85	https://nvd.nist.gov/vuln/detail/CVE-2021-29922
86	[ 7 ] CVE-2021-31162
87	https://nvd.nist.gov/vuln/detail/CVE-2021-31162
88	[ 8 ] CVE-2021-36317
89	https://nvd.nist.gov/vuln/detail/CVE-2021-36317
90	[ 9 ] CVE-2021-36318
91	https://nvd.nist.gov/vuln/detail/CVE-2021-36318
92	[ 10 ] CVE-2021-42574
93	https://nvd.nist.gov/vuln/detail/CVE-2021-42574
94	[ 11 ] CVE-2021-42694
95	https://nvd.nist.gov/vuln/detail/CVE-2021-42694
96	[ 12 ] CVE-2022-21658
97	https://nvd.nist.gov/vuln/detail/CVE-2022-21658
98	[ 13 ] CVE-2022-36113
99	https://nvd.nist.gov/vuln/detail/CVE-2022-36113
100	[ 14 ] CVE-2022-36114
101	https://nvd.nist.gov/vuln/detail/CVE-2022-36114
102
103	Availability
104	============
105
106	This GLSA and any updates to it are available for viewing at
107	the Gentoo Security Website:
108
109	https://security.gentoo.org/glsa/202210-09
110
111	Concerns?
112	=========
113
114	Security is a primary focus of Gentoo Linux and ensuring the
115	confidentiality and security of our users' machines is of utmost
116	importance to us. Any security concerns should be addressed to
117	security@g.o or alternatively, you may file a bug at
118	https://bugs.gentoo.org.
119
120	License
121	=======
122
123	Copyright 2022 Gentoo Foundation, Inc; referenced text
124	belongs to its owner(s).
125
126	The contents of this document are licensed under the
127	Creative Commons - Attribution / Share Alike license.
128
129	https://creativecommons.org/licenses/by-sa/2.5