Hi Moritz, On Mon, Jan 15, 2024 at 08:49:04PM +0100, Moritz Muehlenhoff wrote: > Source: rust-tracing > Version: 0.1.37-1 > Severity: important > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > https://rustsec.org/advisories/RUSTSEC-2023-0078.html > https://github.com/tokio-rs/tracing/pull/2765 > Fixed by: > https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721 > (tracing-0.1.40)
Please double-check but I think no Debian released version was ever affected. The issue is fixed in 0.1.40 already upstream, with the above commit (backed by https://rustsec.org/advisories/RUSTSEC-2023-0078.html). The issue on the other hand is introduced in https://github.com/tokio-rs/tracing/commit/3a65354837a0f176178e15787fc700dd6fa11a92 which is first in 0.1.38. In unstable we ever had only 0.1.37-1, then moved to 0.1.40-1. Regards, Salvatore