cargo1.53-1.53.0-2.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11360 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cargo1.53-1.53.0-2.5 on GA media These are all security issues fixed in the cargo1.53-1.53.0-2.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11360 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11360 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-1000622/ SUSE CVE CVE-2018-1000622 page https://www.suse.com/security/cve/CVE-2019-12083/ SUSE CVE CVE-2019-12083 page https://www.suse.com/security/cve/CVE-2020-1967/ SUSE CVE CVE-2020-1967 page openSUSE Tumbleweed cargo1.53-1.53.0-2.5 cargo1.53-doc-1.53.0-2.5 rls1.53-1.53.0-2.5 rust1.53-1.53.0-2.5 rust1.53-analysis-1.53.0-2.5 rust1.53-doc-1.53.0-2.5 rust1.53-gdb-1.53.0-2.5 rust1.53-src-1.53.0-2.5 cargo1.53-1.53.0-2.5 as a component of openSUSE Tumbleweed cargo1.53-doc-1.53.0-2.5 as a component of openSUSE Tumbleweed rls1.53-1.53.0-2.5 as a component of openSUSE Tumbleweed rust1.53-1.53.0-2.5 as a component of openSUSE Tumbleweed rust1.53-analysis-1.53.0-2.5 as a component of openSUSE Tumbleweed rust1.53-doc-1.53.0-2.5 as a component of openSUSE Tumbleweed rust1.53-gdb-1.53.0-2.5 as a component of openSUSE Tumbleweed rust1.53-src-1.53.0-2.5 as a component of openSUSE Tumbleweed The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1. CVE-2018-1000622 openSUSE Tumbleweed:cargo1.53-1.53.0-2.5 openSUSE Tumbleweed:cargo1.53-doc-1.53.0-2.5 openSUSE Tumbleweed:rls1.53-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-analysis-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-doc-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-gdb-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-src-1.53.0-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000622.html CVE-2018-1000622 https://bugzilla.suse.com/1100691 SUSE Bug 1100691 The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. If the `Error::type_id` method is overridden then any type can be safely cast to any other type, causing memory safety vulnerabilities in safe code (e.g., out-of-bounds write or read). Code that does not manually implement Error::type_id is unaffected. CVE-2019-12083 openSUSE Tumbleweed:cargo1.53-1.53.0-2.5 openSUSE Tumbleweed:cargo1.53-doc-1.53.0-2.5 openSUSE Tumbleweed:rls1.53-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-analysis-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-doc-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-gdb-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-src-1.53.0-2.5 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12083.html CVE-2019-12083 https://bugzilla.suse.com/1134978 SUSE Bug 1134978 Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). CVE-2020-1967 openSUSE Tumbleweed:cargo1.53-1.53.0-2.5 openSUSE Tumbleweed:cargo1.53-doc-1.53.0-2.5 openSUSE Tumbleweed:rls1.53-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-analysis-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-doc-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-gdb-1.53.0-2.5 openSUSE Tumbleweed:rust1.53-src-1.53.0-2.5 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-1967.html CVE-2020-1967 https://bugzilla.suse.com/1169407 SUSE Bug 1169407