SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3092-1
Container Tags        : bci/rust:1.71 , bci/rust:1.71-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1
Container Release     : 2.1
Severity              : important
Type                  : security
References            : 1213817 CVE-2023-38497 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2978-1
Released:    Wed Jul 26 09:56:57 2023
Summary:     Recommended update for rust, rust1.71
Type:        recommended
Severity:    moderate
References:  
This update for rust and rust1.71 fixes the following issues:

This update ships rust1.71.

Version 1.71.0 (2023-07-13)
==========================

Language
--------

- Stabilize `raw-dylib`, `link_ordinal`, `import_name_type` and `-Cdlltool`.
- Uplift `clippy::{drop,forget}_{ref,copy}` lints.
- Type inference is more conservative around constrained vars.
- Use fulfillment to check `Drop` impl compatibility

Compiler
--------

- Evaluate place expression in `PlaceMention`
  making `let _ =` patterns more consistent with respect to the borrow checker.
- Add `--print deployment-target` flag for Apple targets.
- Stabilize `extern 'C-unwind'` and friends.
  The existing `extern 'C'` etc. may change behavior for cross-language unwinding in a future release.
- Update the version of musl used on `*-linux-musl` targets to 1.2.3
  enabling [time64](https://musl.libc.org/time64.html) on 32-bit systems.
- Stabilize `debugger_visualizer`
  for embedding metadata like Microsoft's Natvis.
- Enable flatten-format-args by default.
- Make `Self` respect tuple constructor privacy.
- Improve niche placement by trying two strategies and picking the better result.
- Use `apple-m1` as the target CPU for `aarch64-apple-darwin`.
- Add Tier 3 support for the `x86_64h-apple-darwin` target.
- Promote `loongarch64-unknown-linux-gnu` to Tier 2 with host tools.

Refer to Rust's [platform support page][platform-support-doc]
for more information on Rust's tiered platform support.

Libraries
---------

- Rework handling of recursive panics.
  Additional panics are allowed while unwinding, as long as they are caught before escaping
  a `Drop` implementation, but panicking within a panic hook is now an immediate abort.
- Loosen `From<&[T]> for Box<[T]>` bound to `T: Clone`.
- Remove unnecessary `T: Send` bound
  in `Error for mpsc::SendError` and `TrySendError`.
- Fix docs for `alloc::realloc`
  to match `Layout` requirements that the size must not exceed `isize::MAX`.
- Document `const {}` syntax for `std::thread_local`.
  This syntax was stabilized in Rust 1.59, but not previously mentioned in release notes.

Stabilized APIs
---------------

- `CStr::is_empty`](https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#method.is_empty)
- `BuildHasher::hash_one`](https://doc.rust-lang.org/stable/std/hash/trait.BuildHasher.html#method.hash_one)
- `NonZeroI*::is_positive`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_positive)
- `NonZeroI*::is_negative`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_negative)
- `NonZeroI*::checked_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.checked_neg)
- `NonZeroI*::overflowing_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.overflowing_neg)
- `NonZeroI*::saturating_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.saturating_neg)
- `NonZeroI*::wrapping_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.wrapping_neg)
- `Neg for NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-NonZeroI32)
- `Neg for &NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-%26NonZeroI32)
- `From<[T; N]> for (T...)`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C%5BT;+1%5D%3E-for-(T,))
  (array to N-tuple for N in 1..=12)
- `From<(T...)> for [T; N]`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C(T,)%3E-for-%5BT;+1%5D)
  (N-tuple to array for N in 1..=12)
- `windows::io::AsHandle for Box`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Box%3CT%3E)
- `windows::io::AsHandle for Rc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Rc%3CT%3E)
- `windows::io::AsHandle for Arc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Arc%3CT%3E)
- `windows::io::AsSocket for Box`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Box%3CT%3E)
- `windows::io::AsSocket for Rc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Rc%3CT%3E)
- `windows::io::AsSocket for Arc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Arc%3CT%3E)

These APIs are now stable in const contexts:

- `<*const T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read)
- `<*const T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned)
- `<*mut T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read-1)
- `<*mut T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned-1)
- `ptr::read`](https://doc.rust-lang.org/stable/std/ptr/fn.read.html)
- `ptr::read_unaligned`](https://doc.rust-lang.org/stable/std/ptr/fn.read_unaligned.html)
- `<[T]>::split_at`](https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_at)

Cargo
-----

- Allow named debuginfo options in `Cargo.toml`.
- Add `workspace_default_members` to the output of `cargo metadata`.
- `cargo add` now considers `rust-version` when selecting packages.
- Automatically inherit workspace fields when running `cargo new`/`cargo init`.

Rustdoc
-------

- Add a new `rustdoc::unescaped_backticks` lint for broken inline code.
- Support strikethrough with single tildes.](https://github.com/rust-lang/rust/pull/111152/) (`~~old~~` vs. `~new~`)

Misc
----

Compatibility Notes
-------------------

- Remove structural match from `TypeId`.
  Code that uses a constant `TypeId` in a pattern will potentially be broken.
  Known cases have already been fixed -- in particular, users of the `log`
  crate's `kv_unstable` feature should update to `log v0.4.18` or later.
- Add a `sysroot` crate to represent the standard library crates.
  This does not affect stable users, but may require adjustment in tools that build their own standard library.
- Cargo optimizes its usage under `rustup`. When
  Cargo detects it will run `rustc` pointing to a rustup proxy, it'll try bypassing the proxy and
  use the underlying binary directly. There are assumptions around the interaction with rustup and
  `RUSTUP_TOOLCHAIN`. However, it's not expected to affect normal users.
- When querying a package, Cargo tries only the original name, all hyphens, and all underscores to
  handle misspellings. Previously, Cargo tried each
  combination of hyphens and underscores, causing excessive requests to crates.io.
- Cargo now disallows `RUSTUP_HOME` and
  `RUSTUP_TOOLCHAIN` in the `[env]` configuration
  table. This is considered to be not a use case Cargo would like to support, since it will likely
  cause problems or lead to confusion.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3251-1
Released:    Tue Aug  8 22:15:14 2023
Summary:     Security update for rust1.71
Type:        security
Severity:    important
References:  1213817,CVE-2023-38497
This update for rust1.71 fixes the following issues:

Update to version 1.71.1:

- CVE-2023-38497: Fixed privilege escalation with Cargo not respecting umask when extracting dependencies (bsc#1213817).


The following package changes have been done:

- rust1.71-1.71.1-150400.9.6.1 added
- cargo1.71-1.71.1-150400.9.6.1 added
- container:sles15-image-15.0.0-36.5.34 updated
- cargo1.70-1.70.0-150400.9.3.1 removed
- rust1.70-1.70.0-150400.9.3.1 removed

SUSE: 2023:3092-1 bci/rust Security Update

September 22, 2023
The container bci/rust was updated

Summary

Advisory ID: SUSE-RU-2023:2978-1 Released: Wed Jul 26 09:56:57 2023 Summary: Recommended update for rust, rust1.71 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:3251-1 Released: Tue Aug 8 22:15:14 2023 Summary: Security update for rust1.71 Type: security Severity: important

References

References : 1213817 CVE-2023-38497

This update for rust and rust1.71 fixes the following issues:

This update ships rust1.71.

Version 1.71.0 (2023-07-13)

==========================

Language

--------

- Stabilize `raw-dylib`, `link_ordinal`, `import_name_type` and `-Cdlltool`.

- Uplift `clippy::{drop,forget}_{ref,copy}` lints.

- Type inference is more conservative around constrained vars.

- Use fulfillment to check `Drop` impl compatibility

Compiler

--------

- Evaluate place expression in `PlaceMention`

making `let _ =` patterns more consistent with respect to the borrow checker.

- Add `--print deployment-target` flag for Apple targets.

- Stabilize `extern 'C-unwind'` and friends.

The existing `extern 'C'` etc. may change behavior for cross-language unwinding in a future release.

- Update the version of musl used on `*-linux-musl` targets to 1.2.3

enabling [time64](https://musl.libc.org/time64.html) on 32-bit systems.

- Stabilize `debugger_visualizer`

for embedding metadata like Microsoft's Natvis.

- Enable flatten-format-args by default.

- Make `Self` respect tuple constructor privacy.

- Improve niche placement by trying two strategies and picking the better result.

- Use `apple-m1` as the target CPU for `aarch64-apple-darwin`.

- Add Tier 3 support for the `x86_64h-apple-darwin` target.

- Promote `loongarch64-unknown-linux-gnu` to Tier 2 with host tools.

Refer to Rust's [platform support page][platform-support-doc]

for more information on Rust's tiered platform support.

Libraries

---------

- Rework handling of recursive panics.

Additional panics are allowed while unwinding, as long as they are caught before escaping

a `Drop` implementation, but panicking within a panic hook is now an immediate abort.

- Loosen `From<&[T]> for Box<[T]>` bound to `T: Clone`.

- Remove unnecessary `T: Send` bound

in `Error for mpsc::SendError` and `TrySendError`.

- Fix docs for `alloc::realloc`

to match `Layout` requirements that the size must not exceed `isize::MAX`.

- Document `const {}` syntax for `std::thread_local`.

This syntax was stabilized in Rust 1.59, but not previously mentioned in release notes.

Stabilized APIs

---------------

- `CStr::is_empty`](https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#method.is_empty)

- `BuildHasher::hash_one`](https://doc.rust-lang.org/stable/std/hash/trait.BuildHasher.html#method.hash_one)

- `NonZeroI*::is_positive`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_positive)

- `NonZeroI*::is_negative`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_negative)

- `NonZeroI*::checked_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.checked_neg)

- `NonZeroI*::overflowing_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.overflowing_neg)

- `NonZeroI*::saturating_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.saturating_neg)

- `NonZeroI*::wrapping_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.wrapping_neg)

- `Neg for NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-NonZeroI32)

- `Neg for &NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-%26NonZeroI32)

- `From<[T; N]> for (T...)`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C%5BT;+1%5D%3E-for-(T,))

(array to N-tuple for N in 1..=12)

- `From<(T...)> for [T; N]`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C(T,)%3E-for-%5BT;+1%5D)

(N-tuple to array for N in 1..=12)

- `windows::io::AsHandle for Box`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Box%3CT%3E)

- `windows::io::AsHandle for Rc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Rc%3CT%3E)

- `windows::io::AsHandle for Arc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Arc%3CT%3E)

- `windows::io::AsSocket for Box`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Box%3CT%3E)

- `windows::io::AsSocket for Rc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Rc%3CT%3E)

- `windows::io::AsSocket for Arc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Arc%3CT%3E)

These APIs are now stable in const contexts:

- `<*const T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read)

- `<*const T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned)

- `<*mut T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read-1)

- `<*mut T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned-1)

- `ptr::read`](https://doc.rust-lang.org/stable/std/ptr/fn.read.html)

- `ptr::read_unaligned`](https://doc.rust-lang.org/stable/std/ptr/fn.read_unaligned.html)

- `<[T]>::split_at`](https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_at)

Cargo

-----

- Allow named debuginfo options in `Cargo.toml`.

- Add `workspace_default_members` to the output of `cargo metadata`.

- `cargo add` now considers `rust-version` when selecting packages.

- Automatically inherit workspace fields when running `cargo new`/`cargo init`.

Rustdoc

-------

- Add a new `rustdoc::unescaped_backticks` lint for broken inline code.

- Support strikethrough with single tildes.](https://github.com/rust-lang/rust/pull/111152/) (`~~old~~` vs. `~new~`)

Misc

----

Compatibility Notes

-------------------

- Remove structural match from `TypeId`.

Code that uses a constant `TypeId` in a pattern will potentially be broken.

Known cases have already been fixed -- in particular, users of the `log`

crate's `kv_unstable` feature should update to `log v0.4.18` or later.

- Add a `sysroot` crate to represent the standard library crates.

This does not affect stable users, but may require adjustment in tools that build their own standard library.

- Cargo optimizes its usage under `rustup`. When

Cargo detects it will run `rustc` pointing to a rustup proxy, it'll try bypassing the proxy and

use the underlying binary directly. There are assumptions around the interaction with rustup and

`RUSTUP_TOOLCHAIN`. However, it's not expected to affect normal users.

- When querying a package, Cargo tries only the original name, all hyphens, and all underscores to

handle misspellings. Previously, Cargo tried each

combination of hyphens and underscores, causing excessive requests to crates.io.

- Cargo now disallows `RUSTUP_HOME` and

`RUSTUP_TOOLCHAIN` in the `[env]` configuration

table. This is considered to be not a use case Cargo would like to support, since it will likely

cause problems or lead to confusion.

1213817,CVE-2023-38497

This update for rust1.71 fixes the following issues:

Update to version 1.71.1:

- CVE-2023-38497: Fixed privilege escalation with Cargo not respecting umask when extracting dependencies (bsc#1213817).

The following package changes have been done:

- rust1.71-1.71.1-150400.9.6.1 added

- cargo1.71-1.71.1-150400.9.6.1 added

- container:sles15-image-15.0.0-36.5.34 updated

- cargo1.70-1.70.0-150400.9.3.1 removed

- rust1.70-1.70.0-150400.9.3.1 removed

Severity
Container Advisory ID : SUSE-CU-2023:3092-1
Container Tags : bci/rust:1.71 , bci/rust:1.71-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1
Container Release : 2.1
Severity : important
Type : security

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo