SUSE-CU-2023:3092-1: Security update of bci/rust
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Sep 22 07:05:02 UTC 2023
SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3092-1
Container Tags : bci/rust:1.71 , bci/rust:1.71-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1
Container Release : 2.1
Severity : important
Type : security
References : 1213817 CVE-2023-38497
-----------------------------------------------------------------
The container bci/rust was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2978-1
Released: Wed Jul 26 09:56:57 2023
Summary: Recommended update for rust, rust1.71
Type: recommended
Severity: moderate
References:
This update for rust and rust1.71 fixes the following issues:
This update ships rust1.71.
Version 1.71.0 (2023-07-13)
==========================
Language
--------
- Stabilize `raw-dylib`, `link_ordinal`, `import_name_type` and `-Cdlltool`.
- Uplift `clippy::{drop,forget}_{ref,copy}` lints.
- Type inference is more conservative around constrained vars.
- Use fulfillment to check `Drop` impl compatibility
Compiler
--------
- Evaluate place expression in `PlaceMention`
making `let _ =` patterns more consistent with respect to the borrow checker.
- Add `--print deployment-target` flag for Apple targets.
- Stabilize `extern 'C-unwind'` and friends.
The existing `extern 'C'` etc. may change behavior for cross-language unwinding in a future release.
- Update the version of musl used on `*-linux-musl` targets to 1.2.3
enabling [time64](https://musl.libc.org/time64.html) on 32-bit systems.
- Stabilize `debugger_visualizer`
for embedding metadata like Microsoft's Natvis.
- Enable flatten-format-args by default.
- Make `Self` respect tuple constructor privacy.
- Improve niche placement by trying two strategies and picking the better result.
- Use `apple-m1` as the target CPU for `aarch64-apple-darwin`.
- Add Tier 3 support for the `x86_64h-apple-darwin` target.
- Promote `loongarch64-unknown-linux-gnu` to Tier 2 with host tools.
Refer to Rust's [platform support page][platform-support-doc]
for more information on Rust's tiered platform support.
Libraries
---------
- Rework handling of recursive panics.
Additional panics are allowed while unwinding, as long as they are caught before escaping
a `Drop` implementation, but panicking within a panic hook is now an immediate abort.
- Loosen `From<&[T]> for Box<[T]>` bound to `T: Clone`.
- Remove unnecessary `T: Send` bound
in `Error for mpsc::SendError<T>` and `TrySendError<T>`.
- Fix docs for `alloc::realloc`
to match `Layout` requirements that the size must not exceed `isize::MAX`.
- Document `const {}` syntax for `std::thread_local`.
This syntax was stabilized in Rust 1.59, but not previously mentioned in release notes.
Stabilized APIs
---------------
- `CStr::is_empty`](https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#method.is_empty)
- `BuildHasher::hash_one`](https://doc.rust-lang.org/stable/std/hash/trait.BuildHasher.html#method.hash_one)
- `NonZeroI*::is_positive`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_positive)
- `NonZeroI*::is_negative`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_negative)
- `NonZeroI*::checked_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.checked_neg)
- `NonZeroI*::overflowing_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.overflowing_neg)
- `NonZeroI*::saturating_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.saturating_neg)
- `NonZeroI*::wrapping_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.wrapping_neg)
- `Neg for NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-NonZeroI32)
- `Neg for &NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-%26NonZeroI32)
- `From<[T; N]> for (T...)`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C%5BT;+1%5D%3E-for-(T,))
(array to N-tuple for N in 1..=12)
- `From<(T...)> for [T; N]`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C(T,)%3E-for-%5BT;+1%5D)
(N-tuple to array for N in 1..=12)
- `windows::io::AsHandle for Box<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Box%3CT%3E)
- `windows::io::AsHandle for Rc<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Rc%3CT%3E)
- `windows::io::AsHandle for Arc<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Arc%3CT%3E)
- `windows::io::AsSocket for Box<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Box%3CT%3E)
- `windows::io::AsSocket for Rc<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Rc%3CT%3E)
- `windows::io::AsSocket for Arc<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Arc%3CT%3E)
These APIs are now stable in const contexts:
- `<*const T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read)
- `<*const T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned)
- `<*mut T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read-1)
- `<*mut T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned-1)
- `ptr::read`](https://doc.rust-lang.org/stable/std/ptr/fn.read.html)
- `ptr::read_unaligned`](https://doc.rust-lang.org/stable/std/ptr/fn.read_unaligned.html)
- `<[T]>::split_at`](https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_at)
Cargo
-----
- Allow named debuginfo options in `Cargo.toml`.
- Add `workspace_default_members` to the output of `cargo metadata`.
- `cargo add` now considers `rust-version` when selecting packages.
- Automatically inherit workspace fields when running `cargo new`/`cargo init`.
Rustdoc
-------
- Add a new `rustdoc::unescaped_backticks` lint for broken inline code.
- Support strikethrough with single tildes.](https://github.com/rust-lang/rust/pull/111152/) (`~~old~~` vs. `~new~`)
Misc
----
Compatibility Notes
-------------------
- Remove structural match from `TypeId`.
Code that uses a constant `TypeId` in a pattern will potentially be broken.
Known cases have already been fixed -- in particular, users of the `log`
crate's `kv_unstable` feature should update to `log v0.4.18` or later.
- Add a `sysroot` crate to represent the standard library crates.
This does not affect stable users, but may require adjustment in tools that build their own standard library.
- Cargo optimizes its usage under `rustup`. When
Cargo detects it will run `rustc` pointing to a rustup proxy, it'll try bypassing the proxy and
use the underlying binary directly. There are assumptions around the interaction with rustup and
`RUSTUP_TOOLCHAIN`. However, it's not expected to affect normal users.
- When querying a package, Cargo tries only the original name, all hyphens, and all underscores to
handle misspellings. Previously, Cargo tried each
combination of hyphens and underscores, causing excessive requests to crates.io.
- Cargo now disallows `RUSTUP_HOME` and
`RUSTUP_TOOLCHAIN` in the `[env]` configuration
table. This is considered to be not a use case Cargo would like to support, since it will likely
cause problems or lead to confusion.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3251-1
Released: Tue Aug 8 22:15:14 2023
Summary: Security update for rust1.71
Type: security
Severity: important
References: 1213817,CVE-2023-38497
This update for rust1.71 fixes the following issues:
Update to version 1.71.1:
- CVE-2023-38497: Fixed privilege escalation with Cargo not respecting umask when extracting dependencies (bsc#1213817).
The following package changes have been done:
- rust1.71-1.71.1-150400.9.6.1 added
- cargo1.71-1.71.1-150400.9.6.1 added
- container:sles15-image-15.0.0-36.5.34 updated
- cargo1.70-1.70.0-150400.9.3.1 removed
- rust1.70-1.70.0-150400.9.3.1 removed
More information about the sle-security-updates
mailing list