Anyone know if Debian bullseye security will package Rust 1.58.1 as a security update?
Conversation
Replying to
They normally don't fix anything other than security bugs which means they're unwilling to ship point releases. Exceptions can be made but it would normally only happen as part of a Debian point release if at all. It has to be approved by their release team. It's pretty broken.
If there are security bugs without a CVE assignment then it's highly unlikely it will get backported. Of course, most security-relevant fixes don't get a CVE assignment and there's always a huge backlog of missing CVE fixes including packages where they give up and stop doing it.
1
1
Replying to
It's CVE-2022-21658
Quote Tweet
The std::fs::remove_dir_all function in the Rust standard library is vulnerable to a race condition (CVE-2022-21658). We will release Rust 1.58.1 with the fix later today. Read the advisory: blog.rust-lang.org/2022/01/20/cve
1
Show replies