|
191 | 191 |
|
192 | 192 | ### Changed
|
193 | 193 |
|
194 |
| -- [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p): |
| 194 | +- 🚨 [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p): |
195 | 195 | Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports.
|
196 | 196 | To mitigate this, feature name validation check is now turned into a hard error.
|
197 | 197 | The warning was added in Rust 1.49. These extended characters aren't allowed on crates.io,
|
|
326 | 326 |
|
327 | 327 | ### Fixed
|
328 | 328 |
|
329 |
| -- [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87): |
| 329 | +- 🚨 [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87): |
330 | 330 | Cargo 1.71.1 or later respects umask when extracting crate archives. It also
|
331 | 331 | purges the caches it tries to access if they were generated by older Cargo versions.
|
332 | 332 |
|
|
1005 | 1005 | ## Cargo 1.66.1 (2023-01-10)
|
1006 | 1006 |
|
1007 | 1007 | ### Fixed
|
1008 |
| -- [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j): |
| 1008 | +- 🚨 [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j): |
1009 | 1009 | Added validation of SSH host keys for git URLs.
|
1010 | 1010 | See [the docs](https://doc.rust-lang.org/cargo/appendix/git-authentication.html#ssh-known-hosts) for more information on how to configure the known host keys.
|
1011 | 1011 |
|
|
1231 | 1231 |
|
1232 | 1232 | ### Fixed
|
1233 | 1233 |
|
1234 |
| -- [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j): |
| 1234 | +- 🚨 [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j): |
1235 | 1235 | Extracting malicious crates can corrupt arbitrary files.
|
1236 | 1236 | [#11089](https://github.com/rust-lang/cargo/pull/11089)
|
1237 | 1237 | [#11088](https://github.com/rust-lang/cargo/pull/11088)
|
1238 |
| -- [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp): |
| 1238 | +- 🚨 [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp): |
1239 | 1239 | Extracting malicious crates can fill the file system.
|
1240 | 1240 | [#11089](https://github.com/rust-lang/cargo/pull/11089)
|
1241 | 1241 | [#11088](https://github.com/rust-lang/cargo/pull/11088)
|
|
0 commit comments