Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
202
security advisorymoderatepackage updateopenSUSE Tumbleweed cargo Moderate Security Risk Alert for CVE-2026-31812
An update that solves one vulnerability can now be installed.. # cargo1.93-1.93.0-3.1 on GA media Announcement ID: openSUSE-SU-2026:10383-1 Rating: moderate Cross-References: * CVE-2026-31812 CVSS scores: * CVE-2026-31812 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-31812 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the cargo1.93-1.93.0-3.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * cargo1.93 1.93.0-3.1 * rust1.93 1.93.0-3.1 * rust1.93-src 1.93.0-3.1 ## References: * https://www.suse.com/security/cve/CVE-2026-31812.html . Update available for openSUSE Tumbleweed's cargo package addressing a moderate security issue.. openSUSE Tumbleweed,cargo package,security update,software patch,security advisory. . LinuxSecurity.com Team
Mar 19, 2026
OpenSUSE
202
security advisorymoderatesecurity issueAssessing Immediate Risk for openSUSE Leap 15.5 Vulnerability Alerts
An update that solves one vulnerability can now be installed.. # cargo1.92-1.92.0-2.1 on GA media Announcement ID: openSUSE-SU-2026:10382-1 Rating: moderate Cross-References: * CVE-2026-31812 CVSS scores: * CVE-2026-31812 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-31812 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the cargo1.92-1.92.0-2.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * cargo1.92 1.92.0-2.1 * rust1.92 1.92.0-2.1 * rust1.92-src 1.92.0-2.1 ## References: * https://www.suse.com/security/cve/CVE-2026-31812.html . Update available for openSUSE Tumbleweed addressing a moderate issue in cargo software, enhancing system security.. openSUSE cargo security moderate CVE-2026-31812. . LinuxSecurity.com Team
Mar 19, 2026
OpenSUSE
202
security advisorymoderateupdateopenSUSE 15.4/15.5: SUSE-SU-2023:3722-1 Moderate: Rust Security Fix
This update for rust, rust1.72 fixes the following issues: Changes in rust:. # Security update for rust, rust1.72 Announcement ID: SUSE-SU-2023:3722-1 Rating: moderate References: * #1214689 Cross-References: * CVE-2023-40030 CVSS scores: * CVE-2023-40030 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2023-40030 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: * Development Tools Module 15-SP4 * Development Tools Module 15-SP5 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves one vulnerability can now be installed. ## Description: This update for rust, rust1.72 fixes the following issues: Changes in rust: * Update to version 1.72.0 - for details see the rust1.72 package Changes in rust1.72: * CVE-2023-40030: fix minor non-exploited issue in cargo (bsc#1214689) # Version 1.72.0 (2023-08-24) ## Language * Replace const eval limit by a lint and add an exponential backoff warning * expand: Change how `#![cfg(FALSE)]` behaves on crate root * Stabilize inline asm for LoongArch64 * Uplift `clippy::undropped_manually_drops` lint * Uplift `clippy::invalid_utf8_in_unchecked` lint * Uplift `clippy::cast_ref_to_mut` lint * Uplift `clippy::cmp_nan` lint * resolve: Remove artificial import ambiguity errors * Don't require associated types with Self: Sized bounds in `dyn Trait` objects ## Compiler *Remember names of `cfg`-ed out items to mention them in diagnostics * Support for native WASM exceptions * Add support for NetBSD/aarch64-be (big-endian arm64). * Write to stdout if `-` is given as output file * Force all native libraries to be statically linked when linking a static binary * Add Tier 3 support for `loongarch64-unknown-none*` * Prevent `.eh_frame` from being emitted for `-C panic=abort` * Support 128-bit enum variant in debuginfo codegen * compiler: update solaris/illumos to enable tsan support. Refer to Rust's platform support page for more information on Rust's tiered platform support. ## Libraries * Document memory orderings of `thread::{park, unpark}` * io: soften âat most one write attemptâ requirement in io::Write::write * Specify behavior of HashSet::insert * Relax implicit `T: Sized` bounds on `BufReader `, `BufWriter ` and `LineWriter ` * Update runtime guarantee for `select_nth_unstable` * Return `Ok` on kill if process has already exited * Implement PartialOrd for `Vec`s over different allocators * Use 128 bits for TypeId hash * Don't drain-on-drop in DrainFilter impls of various collections. * Make `{Arc,Rc,Weak}::ptr_eq` ignore pointer metadata ## Rustdoc * Allow whitespace as path separator like double colon * Add search result item types after their name * Search for slices and arrays by type with `[]` * Clean up type unification and "unboxing" ## Stabilized APIs * `impl Sync for mpsc::Sender ` * `impl TryFrom for &str` * `String::leak` These APIs are now stable in const contexts: * `CStr::from_bytes_with_nul` * `CStr::to_bytes` * `CStr::to_bytes_with_nul` * `CStr::to_str` ## Cargo * Enable `-Zdoctest-in-workspace` by default. When running each documentation test, the working directory is set to the root directory of the package the test belongs to. * Add support of the "default" keyword to reset previously set `build.jobs` parallelism back to the default. ## CompatibilityNotes * Alter `Display` for `Ipv6Addr` for IPv4-compatible addresses * Cargo changed feature name validation check to a hard error. The warning was added in Rust 1.49. These extended characters aren't allowed on crates.io, so this should only impact users of other registries, or people who don't publish to a registry. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2023-3722=1 openSUSE-SLE-15.4-2023-3722=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-3722=1 * Development Tools Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-3722=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-3722=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * cargo1.72-1.72.0-150400.9.3.1 * cargo1.72-debuginfo-1.72.0-150400.9.3.1 * rust1.72-debuginfo-1.72.0-150400.9.3.1 * cargo-1.72.0-150400.24.24.1 * rust-1.72.0-150400.24.24.1 * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586 nosrc) * rust1.72-1.72.0-150400.9.3.1 * openSUSE Leap 15.4 (nosrc) * rust1.72-test-1.72.0-150400.9.3.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * cargo1.72-1.72.0-150400.9.3.1 * cargo1.72-debuginfo-1.72.0-150400.9.3.1 * rust1.72-debuginfo-1.72.0-150400.9.3.1 * cargo-1.72.0-150400.24.24.1 * rust-1.72.0-150400.24.24.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 nosrc) * rust1.72-1.72.0-150400.9.3.1 * Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64) * cargo1.72-1.72.0-150400.9.3.1 * cargo1.72-debuginfo-1.72.0-150400.9.3.1 * rust1.72-debuginfo-1.72.0-150400.9.3.1 * cargo-1.72.0-150400.24.24.1 * rust-1.72.0-150400.24.24.1 * Development Tools Module 15-SP4 (aarch64ppc64le s390x x86_64 nosrc) * rust1.72-1.72.0-150400.9.3.1 * Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64) * cargo1.72-1.72.0-150400.9.3.1 * cargo1.72-debuginfo-1.72.0-150400.9.3.1 * rust1.72-debuginfo-1.72.0-150400.9.3.1 * cargo-1.72.0-150400.24.24.1 * rust-1.72.0-150400.24.24.1 * Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64 nosrc) * rust1.72-1.72.0-150400.9.3.1 ## References: * https://www.suse.com/security/cve/CVE-2023-40030.html * https://bugzilla.suse.com/show_bug.cgi?id=1214689 . Explore the most recent enhancements in Rust, version 1.72, focusing on addressing security vulnerabilities with a medium rating and delivering crucial patches.. Rust Update, openSUSE Update, Development Tools, Cargo Security. . LinuxSecurity.com Team
Sep 21, 2023
OpenSUSE
219
security advisorysecurity fixsoftware issueRocky Linux 8 RLSA-2023:4635 Important: Cargo Extraction Issue
Important: rust-toolset:rhel8 security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2023:4635", "synopsis": "Important: rust-toolset:rhel8 security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for module.rust, rust.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. \n\nSecurity Fix(es):\n\n* rust-cargo: cargo does not respect the umask when extracting dependencies (CVE-2023-38497)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "2228038", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2228038", "description": ""}], "cves": [{"name": "CVE-2023-38497", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2023-38497", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}], "references": [], "publishedAt": "2023-08-24T04:21:04.204171Z", "rpms": {"Rocky Linux 8": {"nvras": ["cargo-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "cargo-debuginfo-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "clippy-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "clippy-debuginfo-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-0:1.66.1-2.module+el8.8.0+1428+0690fcea.src.rpm", "rust-analysis-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-analyzer-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-analyzer-debuginfo-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm","rust-debugger-common-0:1.66.1-2.module+el8.8.0+1428+0690fcea.noarch.rpm", "rust-debuginfo-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-debugsource-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-doc-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rustfmt-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rustfmt-debuginfo-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-gdb-0:1.66.1-2.module+el8.8.0+1428+0690fcea.noarch.rpm", "rust-lldb-0:1.66.1-2.module+el8.8.0+1428+0690fcea.noarch.rpm", "rust-src-0:1.66.1-2.module+el8.8.0+1428+0690fcea.noarch.rpm", "rust-std-static-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-std-static-wasm32-unknown-unknown-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-std-static-wasm32-wasi-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm", "rust-toolset-0:1.66.1-2.module+el8.8.0+1428+0690fcea.aarch64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Critical vulnerability addressed in rust-toolset for Rocky Linux 8. Review the patch notes for specifics and assess the potential impact of this security concern.. Rust Toolset, Rocky Linux 8, Security Update, Cargo Fixes, Important Advisory. . Severity: Important. LinuxSecurity.com Team
Aug 24, 2023
•Important
Rocky Linux
98
security advisorysecurity issuesoftware updateRed Hat Enterprise Linux 9 RHSA-2023-4634-01: Important Rust Security Issue
An update for rust is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: rust security update Advisory ID: RHSA-2023:4634-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:4634 Issue date: 2023-08-14 CVE Names: CVE-2023-38497 ===================================================================== 1. Summary: An update for rust is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. Security Fix(es): * rust-cargo: cargo does not respect the umask when extracting dependencies (CVE-2023-38497) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2228038 - CVE-2023-38497 rust-cargo: cargo does not respect the umask when extracting dependencies 6. PackageList: Red Hat Enterprise Linux AppStream (v.9): Source: rust-1.66.1-2.el9_2.src.rpm aarch64: cargo-1.66.1-2.el9_2.aarch64.rpm cargo-debuginfo-1.66.1-2.el9_2.aarch64.rpm clippy-1.66.1-2.el9_2.aarch64.rpm clippy-debuginfo-1.66.1-2.el9_2.aarch64.rpm rust-1.66.1-2.el9_2.aarch64.rpm rust-analysis-1.66.1-2.el9_2.aarch64.rpm rust-analyzer-1.66.1-2.el9_2.aarch64.rpm rust-analyzer-debuginfo-1.66.1-2.el9_2.aarch64.rpm rust-debuginfo-1.66.1-2.el9_2.aarch64.rpm rust-debugsource-1.66.1-2.el9_2.aarch64.rpm rust-doc-1.66.1-2.el9_2.aarch64.rpm rust-std-static-1.66.1-2.el9_2.aarch64.rpm rust-toolset-1.66.1-2.el9_2.aarch64.rpm rustfmt-1.66.1-2.el9_2.aarch64.rpm rustfmt-debuginfo-1.66.1-2.el9_2.aarch64.rpm noarch: rust-debugger-common-1.66.1-2.el9_2.noarch.rpm rust-gdb-1.66.1-2.el9_2.noarch.rpm rust-lldb-1.66.1-2.el9_2.noarch.rpm rust-src-1.66.1-2.el9_2.noarch.rpm rust-std-static-wasm32-unknown-unknown-1.66.1-2.el9_2.noarch.rpm rust-std-static-wasm32-wasi-1.66.1-2.el9_2.noarch.rpm ppc64le: cargo-1.66.1-2.el9_2.ppc64le.rpm cargo-debuginfo-1.66.1-2.el9_2.ppc64le.rpm clippy-1.66.1-2.el9_2.ppc64le.rpm clippy-debuginfo-1.66.1-2.el9_2.ppc64le.rpm rust-1.66.1-2.el9_2.ppc64le.rpm rust-analysis-1.66.1-2.el9_2.ppc64le.rpm rust-analyzer-1.66.1-2.el9_2.ppc64le.rpm rust-analyzer-debuginfo-1.66.1-2.el9_2.ppc64le.rpm rust-debuginfo-1.66.1-2.el9_2.ppc64le.rpm rust-debugsource-1.66.1-2.el9_2.ppc64le.rpm rust-doc-1.66.1-2.el9_2.ppc64le.rpm rust-std-static-1.66.1-2.el9_2.ppc64le.rpm rust-toolset-1.66.1-2.el9_2.ppc64le.rpm rustfmt-1.66.1-2.el9_2.ppc64le.rpm rustfmt-debuginfo-1.66.1-2.el9_2.ppc64le.rpm s390x: cargo-1.66.1-2.el9_2.s390x.rpm cargo-debuginfo-1.66.1-2.el9_2.s390x.rpm clippy-1.66.1-2.el9_2.s390x.rpm clippy-debuginfo-1.66.1-2.el9_2.s390x.rpm rust-1.66.1-2.el9_2.s390x.rpm rust-analysis-1.66.1-2.el9_2.s390x.rpm rust-analyzer-1.66.1-2.el9_2.s390x.rpm rust-analyzer-debuginfo-1.66.1-2.el9_2.s390x.rpm rust-debuginfo-1.66.1-2.el9_2.s390x.rpm rust-debugsource-1.66.1-2.el9_2.s390x.rpm rust-doc-1.66.1-2.el9_2.s390x.rpm rust-std-static-1.66.1-2.el9_2.s390x.rpm rust-toolset-1.66.1-2.el9_2.s390x.rpm rustfmt-1.66.1-2.el9_2.s390x.rpm rustfmt-debuginfo-1.66.1-2.el9_2.s390x.rpm x86_64: cargo-1.66.1-2.el9_2.x86_64.rpm cargo-debuginfo-1.66.1-2.el9_2.i686.rpm cargo-debuginfo-1.66.1-2.el9_2.x86_64.rpm clippy-1.66.1-2.el9_2.x86_64.rpm clippy-debuginfo-1.66.1-2.el9_2.i686.rpm clippy-debuginfo-1.66.1-2.el9_2.x86_64.rpm rust-1.66.1-2.el9_2.x86_64.rpm rust-analysis-1.66.1-2.el9_2.x86_64.rpm rust-analyzer-1.66.1-2.el9_2.x86_64.rpm rust-analyzer-debuginfo-1.66.1-2.el9_2.i686.rpm rust-analyzer-debuginfo-1.66.1-2.el9_2.x86_64.rpm rust-debuginfo-1.66.1-2.el9_2.i686.rpm rust-debuginfo-1.66.1-2.el9_2.x86_64.rpm rust-debugsource-1.66.1-2.el9_2.i686.rpm rust-debugsource-1.66.1-2.el9_2.x86_64.rpm rust-doc-1.66.1-2.el9_2.x86_64.rpm rust-std-static-1.66.1-2.el9_2.i686.rpm rust-std-static-1.66.1-2.el9_2.x86_64.rpm rust-toolset-1.66.1-2.el9_2.x86_64.rpm rustfmt-1.66.1-2.el9_2.x86_64.rpm rustfmt-debuginfo-1.66.1-2.el9_2.i686.rpm rustfmt-debuginfo-1.66.1-2.el9_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2023-38497 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIcBAEBCAAGBQJk2oyDAAoJENzjgjWX9erENoQP/jTfkxW4QnmAoKoj/RfesY37 Z17/QgOELXVroRlDG0QEPxLccxa1M8FOH+uoJtCOypm65WT3BM/+6oCfMJnycee8 aGWuo3KN8aY0P8KO83zFWzjgrJznzqa96JRclSVnSlugZ+SUvCSS/1+J/XLMDUIN TGhVVwbweep8w1+u05d8OWRlbZcMVkHVJf0WQksVKECxgCuYddDYAGTYRlMohxVm IPE84HHBFD/iA4Hg89b9c5u6SCLrNj16p/pvn5vldWDEU6Vf31BAH2uAt2d1lGWk LFWNfbg7tC0/8RGq+xnmtdnpHFaSY1dpHqZiIRgvjKReq35h47esptuIWs1dwaZ6 x9SWXqVHjVz87R1mcFsKhlY7I4l5vEC5lAfjX5fNOnhVbjou9gmmsMsUFpYU+1XV uJGAGZ/rMbqz/G0FyeCd14qTqZATf86BgKmqcSuHu3zMx2y8+59PqgBhYBGzN3Tu F2TkuUDD8pNQMsmE7qIzZK3/SGb0DgpMQOScs9fmEubsyeODKDG/2EV8zrF7d2nO Sr+hQntTAhzB4L+CaFNRNo+rbcbOOidgPK60MOaXux7vwf5Wyahbx9qzghfUBLVc QnTCU+bhq/u0GIo/SFh6zRoyhfGqdeIv1Ychlkc9CvsKLM9GUhiuFhoHKewqXQL5 L1GELcNRzWCW0SpJXtOn =RO5t -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Aug 14, 2023
•Important
Red Hat
172
security advisorycode executionUbuntuUbuntu 22.04 LTS USN-6275-1 Moderate Cargo Code Execution Threat
Cargo could be made to run programs as your login if it installed a specially crafted crate.. ========================================================================== Ubuntu Security Notice USN-6275-1 August 03, 2023 cargo, rust-cargo vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS (Available with Ubuntu Pro) - Ubuntu 20.04 LTS (Available with Ubuntu Pro) - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Cargo could be made to run programs as your login if it installed a specially crafted crate. Software Description: - cargo: Rust package manager - rust-cargo: Rust package manager - feature "openssl" Details: Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If the crate would contain files writable by any user, a local attacker could possibly use this issue to execute code as another user. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS (Available with Ubuntu Pro): cargo 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1 librust-cargo+openssl-dev 0.57.0-1ubuntu0.1~esm1 librust-cargo-dev 0.57.0-1ubuntu0.1~esm1 Ubuntu 20.04 LTS (Available with Ubuntu Pro): cargo 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): cargo 0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): cargo 0.47.0-1~exp1ubuntu1~16.04.1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6275-1 CVE-2023-38497 . Ubuntu users should be cautious with the Cargo package manager; malicious crates might exploit yourpermissions. Verify package integrity from trusted sources before use. Ubuntu Security,Cargo Vulnerability,Rust Package Manager,File Permissions Issue,Local Code Execution. . LinuxSecurity.com Team
Aug 03, 2023
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!