Anyone know if Debian bullseye security will package Rust 1.58.1 as a security update?
Conversation
Replying to
They normally don't fix anything other than security bugs which means they're unwilling to ship point releases. Exceptions can be made but it would normally only happen as part of a Debian point release if at all. It has to be approved by their release team. It's pretty broken.
1
1
If there are security bugs without a CVE assignment then it's highly unlikely it will get backported. Of course, most security-relevant fixes don't get a CVE assignment and there's always a huge backlog of missing CVE fixes including packages where they give up and stop doing it.
1
1
Replying to
It's CVE-2022-21658
Quote Tweet
The std::fs::remove_dir_all function in the Rust standard library is vulnerable to a race condition (CVE-2022-21658). We will release Rust 1.58.1 with the fix later today. Read the advisory: blog.rust-lang.org/2022/01/20/cve
1
Replying to
You can get them to backport the fix themselves. They won't normally update to a new point release even if everything included is a security fix. They'll probably end up doing it on their own via their existing CVE tracking. It's listed in security-tracker.debian.org/tracker/status already.
3
2
It's a very naive way of doing security fixes ignoring that most won't get a CVE assigned but that's Debian. It's particularly bad for the Linux kernel but they do seem to be shipping the upstream LTS releases in OS point releases now. It's possible to convince them to do it.
I think their release team has to approve each update going into their OS point releases and it's definitely more the exception than the norm. I don't think it really happens out-of-band. Also even when they decide to update stuff like Chromium differently it's super slow...
The first step in convincing Debian to accept point releases from a long term stavle branch is for a long term stable branch to actually exist.
1
Debian went through a phase of updating the rustc package in stable releases to new upstream versions to support new versions of mozilla software, but it was causing breakage, so they created a "rustc-mozilla" package instead.