Debian Patches
Status for rust-cargo/0.91.0-3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| disable-vendor.patch | no | |||||
| disable-non-linux.patch | no | |||||
| relax-curl.patch | no | |||||
| drop-tracing-chrome.patch | no | |||||
| drop-vendored-libsqlite3.patch | no | |||||
| relax-blake3.patch | no | |||||
| rand-0.10.patch | =================================================================== | no | ||||
| relax-other-deps.patch | =================================================================== | no | ||||
| CVE-2026-5222-avoid-stripping-.git-suffix-when-for-non-gi.patch | CVE-2026-5222: avoid stripping .git suffix when for non git registries | Arlo Siemsen <arkixml@gmail.com> | no | 2026-05-25 | ||
| CVE-2026-5223-prohibit-unpacking-symlinks-and-other-unexp.patch | CVE-2026-5223: prohibit unpacking symlinks and other unexpected entries Cargo has historically not allowed creating .crate packages containing symlinks. (It packages the symlink target in place of the symlink, instead.) So, any package containing a symlink would have to be hand-constructed. Such packages are also not allowed on crates.io, so it could only come from an alternate registry. Rather than dealing with symlink traversal attacks when unpacking a crate, just prohibit symlinks entirely. In the process, also prohibit other kinds of unusual entries. As an exception, allow character devices but warn about them, because some exist in crates on crates.io. |
Josh Triplett <josh@joshtriplett.org> | no | 2026-03-30 |