SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3092-1 Container Tags : bci/rust:1.71 , bci/rust:1.71-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1 Container Release : 2.1 Severity : important Type : security References : 1213817 CVE-2023-38497 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2978-1 Released: Wed Jul 26 09:56:57 2023 Summary: Recommended update for rust, rust1.71 Type: recommended Severity: moderate References: This update for rust and rust1.71 fixes the following issues: This update ships rust1.71. Version 1.71.0 (2023-07-13) ========================== Language -------- - Stabilize `raw-dylib`, `link_ordinal`, `import_name_type` and `-Cdlltool`. - Uplift `clippy::{drop,forget}_{ref,copy}` lints. - Type inference is more conservative around constrained vars. - Use fulfillment to check `Drop` impl compatibility Compiler -------- - Evaluate place expression in `PlaceMention` making `let _ =` patterns more consistent with respect to the borrow checker. - Add `--print deployment-target` flag for Apple targets. - Stabilize `extern 'C-unwind'` and friends. The existing `extern 'C'` etc. may change behavior for cross-language unwinding in a future release. - Update the version of musl used on `*-linux-musl` targets to 1.2.3 enabling [time64](https://musl.libc.org/time64.html) on 32-bit systems. - Stabilize `debugger_visualizer` for embedding metadata like Microsoft's Natvis. - Enable flatten-format-args by default. - Make `Self` respect tuple constructor privacy. - Improve niche placement by trying two strategies and picking the better result. - Use `apple-m1` as the target CPU for `aarch64-apple-darwin`. - Add Tier 3 support for the `x86_64h-apple-darwin` target. - Promote `loongarch64-unknown-linux-gnu` to Tier 2 with host tools. Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - Rework handling of recursive panics. Additional panics are allowed while unwinding, as long as they are caught before escaping a `Drop` implementation, but panicking within a panic hook is now an immediate abort. - Loosen `From<&[T]> for Box<[T]>` bound to `T: Clone`. - Remove unnecessary `T: Send` bound in `Error for mpsc::SendError` and `TrySendError`. - Fix docs for `alloc::realloc` to match `Layout` requirements that the size must not exceed `isize::MAX`. - Document `const {}` syntax for `std::thread_local`. This syntax was stabilized in Rust 1.59, but not previously mentioned in release notes. Stabilized APIs --------------- - `CStr::is_empty`](https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#method.is_empty) - `BuildHasher::hash_one`](https://doc.rust-lang.org/stable/std/hash/trait.BuildHasher.html#method.hash_one) - `NonZeroI*::is_positive`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_positive) - `NonZeroI*::is_negative`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_negative) - `NonZeroI*::checked_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.checked_neg) - `NonZeroI*::overflowing_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.overflowing_neg) - `NonZeroI*::saturating_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.saturating_neg) - `NonZeroI*::wrapping_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.wrapping_neg) - `Neg for NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-NonZeroI32) - `Neg for &NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-%26NonZeroI32) - `From<[T; N]> for (T...)`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C%5BT;+1%5D%3E-for-(T,)) (array to N-tuple for N in 1..=12) - `From<(T...)> for [T; N]`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C(T,)%3E-for-%5BT;+1%5D) (N-tuple to array for N in 1..=12) - `windows::io::AsHandle for Box`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Box%3CT%3E) - `windows::io::AsHandle for Rc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Rc%3CT%3E) - `windows::io::AsHandle for Arc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Arc%3CT%3E) - `windows::io::AsSocket for Box`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Box%3CT%3E) - `windows::io::AsSocket for Rc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Rc%3CT%3E) - `windows::io::AsSocket for Arc`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Arc%3CT%3E) These APIs are now stable in const contexts: - `<*const T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read) - `<*const T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned) - `<*mut T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read-1) - `<*mut T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned-1) - `ptr::read`](https://doc.rust-lang.org/stable/std/ptr/fn.read.html) - `ptr::read_unaligned`](https://doc.rust-lang.org/stable/std/ptr/fn.read_unaligned.html) - `<[T]>::split_at`](https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_at) Cargo ----- - Allow named debuginfo options in `Cargo.toml`. - Add `workspace_default_members` to the output of `cargo metadata`. - `cargo add` now considers `rust-version` when selecting packages. - Automatically inherit workspace fields when running `cargo new`/`cargo init`. Rustdoc ------- - Add a new `rustdoc::unescaped_backticks` lint for broken inline code. - Support strikethrough with single tildes.](https://github.com/rust-lang/rust/pull/111152/) (`~~old~~` vs. `~new~`) Misc ---- Compatibility Notes ------------------- - Remove structural match from `TypeId`. Code that uses a constant `TypeId` in a pattern will potentially be broken. Known cases have already been fixed -- in particular, users of the `log` crate's `kv_unstable` feature should update to `log v0.4.18` or later. - Add a `sysroot` crate to represent the standard library crates. This does not affect stable users, but may require adjustment in tools that build their own standard library. - Cargo optimizes its usage under `rustup`. When Cargo detects it will run `rustc` pointing to a rustup proxy, it'll try bypassing the proxy and use the underlying binary directly. There are assumptions around the interaction with rustup and `RUSTUP_TOOLCHAIN`. However, it's not expected to affect normal users. - When querying a package, Cargo tries only the original name, all hyphens, and all underscores to handle misspellings. Previously, Cargo tried each combination of hyphens and underscores, causing excessive requests to crates.io. - Cargo now disallows `RUSTUP_HOME` and `RUSTUP_TOOLCHAIN` in the `[env]` configuration table. This is considered to be not a use case Cargo would like to support, since it will likely cause problems or lead to confusion. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3251-1 Released: Tue Aug 8 22:15:14 2023 Summary: Security update for rust1.71 Type: security Severity: important References: 1213817,CVE-2023-38497 This update for rust1.71 fixes the following issues: Update to version 1.71.1: - CVE-2023-38497: Fixed privilege escalation with Cargo not respecting umask when extracting dependencies (bsc#1213817). The following package changes have been done: - rust1.71-1.71.1-150400.9.6.1 added - cargo1.71-1.71.1-150400.9.6.1 added - container:sles15-image-15.0.0-36.5.34 updated - cargo1.70-1.70.0-150400.9.3.1 removed - rust1.70-1.70.0-150400.9.3.1 removed