Bug#988729: [Pkg-rust-maintainers] Bug#988729: CVE-2021-21299
Am Wed, May 19, 2021 at 07:39:55PM +0200 schrieb Fabian Grünbichler: > On May 18, 2021 8:42 pm, Moritz Muehlenhoff wrote: > > Source: rust-hyper > > Severity: grave > > Tags: security > > X-Debbugs-Cc: Debian Security Team > > > > CVE-2021-21299: > > https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf > > https://rustsec.org/advisories/RUSTSEC-2021-0020.html > > FWIW, (rust-hyper) doesn't have any rdeps in bullseye AFAICT[1], so it > could either be ignored there or removed from bullseye without > consequences. No strong opinion, but if there are really no rdeps yet, it's probably better to hint it out of testing. Cheers, Moritz
Bug#988729: [Pkg-rust-maintainers] Bug#988729: CVE-2021-21299
On May 18, 2021 8:42 pm, Moritz Muehlenhoff wrote: > Source: rust-hyper > Severity: grave > Tags: security > X-Debbugs-Cc: Debian Security Team > > CVE-2021-21299: > https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf > https://rustsec.org/advisories/RUSTSEC-2021-0020.html FWIW, (rust-hyper) doesn't have any rdeps in bullseye AFAICT[1], so it could either be ignored there or removed from bullseye without consequences. for bullseye+1, I plan on updating it as soon as sid is unfrozen again, but the dependency chain needed for that update is quite big so it might take a bit to pass through NEW etc (which was also the reason why it didn't get updated in time pre-freeze). there are no affected rdeps in unstable either though, as they are all using hyper as client, not server. 1: dev/list-rdeps.sh from debcargo-conf agrees
