git: d1352617650b - main - security/vuxml: Document Rust vulnerability
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 31 Jan 2022 08:27:50 UTC
The branch main has been updated by brnrd:
URL: https://cgit.FreeBSD.org/ports/commit/?id=d1352617650b04b868a93dfc9ee1ec14667997fb
commit d1352617650b04b868a93dfc9ee1ec14667997fb
Author: Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2022-01-31 08:27:47 +0000
Commit: Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2022-01-31 08:27:47 +0000
security/vuxml: Document Rust vulnerability
---
security/vuxml/vuln-2022.xml | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 5eee9b2fb07f..fea7a30aac6a 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,34 @@
+ <vuln vid="ee26f513-826e-11ec-8be6-d4c9ef517024">
+ <topic>Rust -- Race condition enabling symlink following</topic>
+ <affects>
+ <package>
+ <name>rust</name>
+ <range><lt>1.58.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>SO-AND-SO reports:</p>
+ <blockquote cite="https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html">
+ <p>The Rust Security Response WG was notified that the
+ std::fs::remove_dir_all standard library function is vulnerable to a
+ race condition enabling symlink following (CWE-363). An attacker could
+ use this security issue to trick a privileged program into deleting
+ files and directories the attacker couldn't otherwise access or
+ delete.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2022-21658</cvename>
+ <url>https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html</url>
+ </references>
+ <dates>
+ <discovery>2022-01-20</discovery>
+ <entry>2022-01-31</entry>
+ </dates>
+ </vuln>
+
<vuln vid="b0c83e1a-8153-11ec-84f9-641c67a117d8">
<topic>varnish -- Request Smuggling Vulnerability</topic>
<affects>