Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2551 SUSE: Security update for rust, rust-cbindgen for embedded openssl vulnerability 27 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rust rust-cbindgen Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-1967 Reference: ESB-2020.1390 ESB-2020.1381 Original Bulletin: https://www.suse.com/support/update/announcement/2020/suse-su-20202041-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for rust, rust-cbindgen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:2041-1 Rating: moderate References: #1115645 #1154817 #1173202 Cross-References: CVE-2020-1967 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for rust, rust-cbindgen fixes the following issues: rust was updated for use by Firefox 76ESR. o Fixed miscompilations with rustc 1.43 that lead to LTO failures (bsc# 1173202) Update to version 1.43.1 o Updated openssl-src to 1.1.1g for CVE-2020-1967. o Fixed the stabilization of AVX-512 features. o Fixed `cargo package --list` not working with unpublished dependencies. Update to version 1.43.0 o Language: o Fixed using binary operations with `&{number}` (e.g. `&1.0`) not having the type inferred correctly. o Attributes such as `#[cfg()]` can now be used on `if` expressions. o Syntax only changes: * Allow `type Foo: Ord` syntactically. * Fuse associated and extern items up to defaultness. * Syntactically allow `self` in all `fn` contexts. * Merge `fn` syntax + cleanup item parsing. * `item` macro fragments can be interpolated into `trait`s, `impl`s, and `extern` blocks. For example, you may now write: ```rust macro_rules! mac_trait { ($i:item) => { trait T { $i } } } mac_trait! { fn foo() {} } ``` * These are still rejected *semantically*, so you will likely receive an error but these changes can be seen and parsed by macros and conditional compilation. o Compiler o You can now pass multiple lint flags to rustc to override the previous flags. For example; `rustc -D unused -A unused-variables` denies everything in the `unused` lint group except `unused-variables` which is explicitly allowed. However, passing `rustc -A unused-variables -D unused` denies everything in the `unused` lint group **including** `unused-variables` since the allow flag is specified before the deny flag (and therefore overridden). o rustc will now prefer your system MinGW libraries over its bundled libraries if they are available on `windows-gnu`. o rustc now buffers errors/warnings printed in JSON. Libraries: o `Arc<[T; N]>`, `Box<[T; N]>`, and `Rc<[T; N]>`, now implement `TryFrom >`, `TryFrom >`, and `TryFrom >` respectively. **Note** These conversions are only available when `N` is `0..=32`. o You can now use associated constants on floats and integers directly, rather than having to import the module. e.g. You can now write `u32::MAX` or `f32::NAN` with no imports. o `u8::is_ascii` is now `const`. o `String` now implements `AsMut `. o Added the `primitive` module to `std` and `core`. This module reexports Rust's primitive types. This is mainly useful in macros where you want avoid these types being shadowed. o Relaxed some of the trait bounds on `HashMap` and `HashSet`. o `string::FromUtf8Error` now implements `Clone + Eq`. o Stabilized APIs o `Once::is_completed` o `f32::LOG10_2` o `f32::LOG2_10` o `f64::LOG10_2` o `f64::LOG2_10` o `iter::once_with` o Cargo - - You can now set config `[profile]`s in your `.cargo/config`, or through your environment. - Cargo will now set `CARGO_BIN_EXE_ ` pointing to a binary's executable path when running integration tests or benchmarks. ` ` is the name of your binary as-is e.g. If you wanted the executable path for a binary named `my-program`you would use `env!("CARGO_BIN_EXE_my-program")`. o Misc - - Certain checks in the `const_err` lint were deemed unrelated to const evaluation, and have been moved to the `unconditional_panic` and `arithmetic_overflow` lints. o Compatibility Notes - - Having trailing syntax in the `assert!` macro is now a hard error. This has been a warning since 1.36.0. - Fixed `Self` not having the correctly inferred type. This incorrectly led to some instances being accepted, and now correctly emits a hard error. Update to version 1.42.0: o Language - - You can now use the slice pattern syntax with subslices. - You can now use # [repr(transparent)] on univariant enums. Meaning that you can create an enum that has the exact layout and ABI of the type it contains. - There are some syntax-only changes: * default is syntactically allowed before items in trait definitions. * Items in impls (i.e. consts, types, and fns) may syntactically leave out their bodies in favor of ;. * Bounds on associated types in impls are now syntactically allowed (e.g. type Foo: Ord;). * ... (the C-variadic type) may occur syntactically directly as the type of any function parameter. These are still rejected semantically, so you will likely receive an error but these changes can be seen and parsed by procedural macros and conditional compilation. o Compiler - - Added tier 2 support for armv7a-none-eabi. - Added tier 2 support for riscv64gc-unknown-linux-gnu. - Option::{expect,unwrap} and Result::{expect, expect_err, unwrap, unwrap_err} now produce panic messages pointing to the location where they were called, rather than core's internals. Refer to Rust's platform support page for more information on Rust's tiered platform support. o Libraries - - iter::Empty now implements Send and Sync for any T. - Pin::{map_unchecked, map_unchecked_mut} no longer require the return type to implement Sized. - io::Cursor now derives PartialEq and Eq. - Layout::new is now const. - Added Standard Library support for riscv64gc-unknown-linux-gnu. o Stabilized APIs - - CondVar::wait_while - CondVar::wait_timeout_while - DebugMap::key - DebugMap::value - ManuallyDrop::take - matches! - ptr::slice_from_raw_parts_mut - - ptr::slice_from_raw_parts o Cargo - - You no longer need to include extern crate proc_macro; to be able to use proc_macro; in the 2018 edition. o Compatibility Notes - - Error::description has been deprecated, and its use will now produce a warning. It's recommended to use Display/to_string instead. Update to version 1.41.1: - - Always check types of static items - Always check lifetime bounds of `Copy` impls - Fix miscompilation in callers of `Layout::repeat` Update to version 1.41.0: o Language - - You can now pass type parameters to foreign items when implementing traits. E.g. You can now write `impl From for Vec {}`. - You can now arbitrarily nest receiver types in the `self` position. E.g. you can now write `fn foo(self: Box >) {}`. Previously only `Self`, `&Self;`, `&mut; Self`, `Arc `, `Rc `, and `Box ` were allowed. - You can now use any valid identifier in a `format_args` macro. Previously identifiers starting with an underscore were not allowed. - Visibility modifiers (e.g. `pub`) are now syntactically allowed on trait items and enum variants. These are still rejected semantically, but can be seen and parsed by procedural macros and conditional compilation. o Compiler - - Rustc will now warn if you have unused loop `'label`s. - Removed support for the `i686-unknown-dragonfly` target. - Added tier 3 support\* for the `riscv64gc-unknown-linux-gnu` target. - You can now pass an arguments file passing the `@path` syntax to rustc. Note that the format differs somewhat from what is found in other tooling; please see the documentation for more information. - You can now provide `--extern` flag without a path, indicating that it is available from the search path or specified with an `-L` flag. Refer to Rust's [platform support page][forge-platform-support] for more information on Rust's tiered platform support. o Libraries - - The `core::panic` module is now stable. It was already stable through `std`. - - `NonZero*` numerics now implement `From ` if it's a smaller integer width. E.g. `NonZeroU16` now implements `From `. - `MaybeUninit ` now implements `fmt::Debug`. o Stabilized APIs - - `Result::map_or` - `Result::map_or_else` - `std::rc::Weak::weak_count` - `std::rc::Weak::strong_count` - `std::sync::Weak::weak_count` - `std::sync::Weak::strong_count` o Cargo - - Cargo will now document all the private items for binary crates by default. - `cargo-install` will now reinstall the package if it detects that it is out of date. - Cargo.lock now uses a more git friendly format that should help to reduce merge conflicts. - You can now override specific dependencies's build settings. E.g. `[profile.dev.package.image] opt-level = 2` sets the `image` crate's optimisation level to `2` for debug builds. You can also use `[profile. .build-override]` to override build scripts and their dependencies. o Misc - - You can now specify `edition` in documentation code blocks to compile the block for that edition. E.g. `edition2018` tells rustdoc that the code sample should be compiled the 2018 edition of Rust. - You can now provide custom themes to rustdoc with `--theme`, and check the current theme with `--check-theme`. - You can use `#[cfg(doc)]` to compile an item when building documentation. o Compatibility Notes - - As previously announced 1.41.0 will be the last tier 1 release for 32-bit Apple targets. This means that the source code is still available to build, but the targets are no longer being tested and release binaries for those platforms will no longer be distributed by the Rust project. Please refer to the linked blog post for more information. o Bump version of libssh2 for SLE15; we now need a version with libssh2_userauth_publickey_frommemory(), which appeared in libssh2 1.6.0. Update to version 1.40.0 o Language - - You can now use tuple `struct`s and tuple `enum` variant's constructors in `const` contexts. e.g. pub struct Point(i32, i32); const ORIGIN: Point = { let constructor = Point; constructor(0, 0) }; - You can now mark `struct`s, `enum `s, and `enum` variants with the `#[non_exhaustive]` attribute to indicate that there may be variants or fields added in the future. For example this requires adding a wild-card branch (`_ => {}`) to any match statements on a non-exhaustive `enum`. - You can now use function-like procedural macros in `extern` blocks and in type positions. e.g. `type Generated = macro!();` - Function-like and attribute procedural macros can now emit `macro_rules!` items, so you can now have your macros generate macros. - The `meta` pattern matcher in `macro_rules!` now correctly matches the modern attribute syntax. For example `(#[$m:meta])` now matches `#[attr]`, `#[attr{tokens}]`, `#[attr [tokens]]`, and `#[attr(tokens)]`. o Compiler - - Added tier 3 support\* for the `thumbv7neon-unknown-linux-musleabihf` target. - - Added tier 3 support for the `aarch64-unknown-none-softfloat` target. - Added tier 3 support for the `mips64-unknown-linux-muslabi64`, and `mips64el-unknown-linux-muslabi64` targets. o Libraries - - The `is_power_of_two` method on unsigned numeric types is now a `const` function. o Stabilized APIs - - BTreeMap::get_key_value - HashMap::get_key_value - Option::as_deref_mut - Option::as_deref - Option::flatten - UdpSocket::peer_addr - f32::to_be_bytes - f32::to_le_bytes - f32::to_ne_bytes - f64::to_be_bytes - f64::to_le_bytes - f64::to_ne_bytes - f32::from_be_bytes - f32::from_le_bytes - f32::from_ne_bytes - - f64::from_be_bytes - f64::from_le_bytes - f64::from_ne_bytes - mem::take - slice::repeat - todo! o Cargo - - Cargo will now always display warnings, rather than only on fresh builds. - Feature flags (except `--all-features`) passed to a virtual workspace will now produce an error. Previously these flags were ignored. - You can now publish `dev-dependencies` without including a `version`. o Misc - - You can now specify the `#[cfg(doctest)]` attribute to include an item only when running documentation tests with `rustdoc`. o Compatibility Notes - - As previously announced, any previous NLL warnings in the 2015 edition are now hard errors. - The `include!` macro will now warn if it failed to include the entire file. The `include!` macro unintentionally only includes the first _expression_ in a file, and this can be unintuitive. This will become either a hard error in a future release, or the behavior may be fixed to include all expressions as expected. - Using `#[inline]` on function prototypes and consts now emits a warning under `unused_attribute` lint. Using `#[inline]` anywhere else inside traits or `extern` blocks now correctly emits a hard error. Update to version 1.39.0 o Language - - You can now create async functions and blocks with async fn, async move {}, and async {} respectively, and you can now call .await on async expressions. - You can now use certain attributes on function, closure, and function pointer parameters. - You can now take shared references to bind-by-move patterns in the if guards of match arms. o Compiler - - Added tier 3 support for the i686-unknown-uefi target. - Added tier 3 support for the sparc64-unknown-openbsd target. - rustc will now trim code snippets in diagnostics to fit in your terminal. - You can now pass --show-output argument to test binaries to print the output of successful tests. o For more details: https://github.com/rust-lang/rust/blob/stable/RELEASES.md#version-1390-2019 - -11-07 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXx5PmONLKJtyKPYoAQglAQ//Sz/Gu54Fo5t0zqKMQYqbeLFxxmRoqEIS BoXiehHPkNIWVKywuYsw//8w5xHEQsXj8ojUjx/3D32bPXLK0a/nuEvfsrHnrNrG dibPKwrV3YJD3pZO3SlomV2fb28rtxa37BzwStMvfVa3E9ydqC4KTNj7gRv5z1P3 r4tl1HhTlvQCAjLu3ZbyRVqflWjz8I3EwF9cT7kjCME+4YlYmM8imFRoWy96EG1b BLG1O5V5LIzO6X1qUfcJEz+hj1HlJuVICtQaM20CZB27OJoZxuECFwzUxGM7ESCg IOYVLT27YOvuXjkwBlvJ33TScPaVoZnge4tXZBHofIVwcvkCrnRDNmTVup4DNPJ/ 4hv7kACMGIXhOauXgQyHLrvwrotZ9F6DnyXEpOVtzrIf5C5H654gaJDVvr9oVHrJ oKrL7IxhIH6KdBxysXupBN1K4xy4dHckJ91hsuAzs2HgTQkcBt09/7+D3GV1grVc jHCpRH3KJ+7if+u30c35fBJqrVi/z0ol91/spD2L74gkJygGHD84yqwrH3b76GjF fYvmhBcMHuMPElc3vJOZdR2enOdIB9QMDHLhY7o8DmAGnfo8Smi7feu6zmRBwUkV kh3pbnkukUhu3eqSd+2BOKPJ91+/qLQkkGBQsnxVYrQ/1lO87IC5CG9nf9ayT+KV SZctRi3laFc= =n2QA -----END PGP SIGNATURE-----