Bug#986803: [Pkg-rust-maintainers] Bug#986803: CVE-2021-28875 CVE-2021-28876 CVE-2021-28877 CVE-2021-28878 CVE-2021-28879 CVE-2020-36317 CVE-2020-36318
Sorry for the late reply, got backlogged in my inbox. Am Mon, Apr 12, 2021 at 11:18:16AM +0100 schrieb Ximin Luo: > It looks like these CVEs affect all versions up to 1.52 (which is not yet > released). > > Do you have links to patches fixing these bugs that can be backported to > 1.48? We've had 1.48 for a while due to the migration freeze, and I've been > informed that some rust packages in Debian break with newer versions of rustc > and will need themselves to be updated - so I'd rather not force that during > the freeze, I'd rather backport security fixes to 1.48. Not sure if there are backports for 1.48, if these aren't easily backportable, let's bullseye-ignore them for now. The next rustc update for the subsequent Mozilla ESR will catch up with those anyway. Cheers, Moritz
Bug#986803: [Pkg-rust-maintainers] Bug#986803: CVE-2021-28875 CVE-2021-28876 CVE-2021-28877 CVE-2021-28878 CVE-2021-28879 CVE-2020-36317 CVE-2020-36318
It looks like these CVEs affect all versions up to 1.52 (which is not yet released). Do you have links to patches fixing these bugs that can be backported to 1.48? We've had 1.48 for a while due to the migration freeze, and I've been informed that some rust packages in Debian break with newer versions of rustc and will need themselves to be updated - so I'd rather not force that during the freeze, I'd rather backport security fixes to 1.48. Best, Ximin Moritz Muehlenhoff: > Package: rustc > Severity: grave > Tags: security > X-Debbugs-Cc: Debian Security Team > > ___ > Pkg-rust-maintainers mailing list > pkg-rust-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-rust-maintainers > -- GPG: ed25519/56034877E1F87C35 https://github.com/infinity0/pubkeys.git
