<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2019-16760: Cargo prior to Rust 1.26.0 may download the wrong dependency
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Pietro Albini <pietro () pietroalbini org>
Date: Tue, 8 Oct 2019 18:11:31 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 2019-09-30 the Rust Security team disclosed a vulnerability affecting
all Rust releases prior to 1.26.0, causing Cargo to download and compile
the wrong dependency under the right circumstances.
The vulnerability has been assigned CVE-2019-16760.
As the affected versions are not supported anymore upstream we won't be
issuing patch releases addressing this vulnerability. Official patches
(signed with the security team's GPG key) for Rust 1.19.0 to Rust 1.25.0
are available here:
https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992
More information on the vulnerability can be found in the advisory:
https://groups.google.com/forum/#!topic/rustlang-security-announcements/rVQ5e3TDnpQ
Pietro.
Rust Security team
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-16760: Cargo prior to Rust 1.26.0 may download the wrong dependency Pietro Albini (Oct 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->