An update for rust is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1237 Final 1.0 1.0 2025-03-07 Initial 2025-03-07 2025-03-07 openEuler SA Tool V1.0 2025-03-07 rust security update An update for rust is now available for openEuler-22.03-LTS-SP3 Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. This package includes the Rust compiler and documentation generator. Security Fix(es): Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. (CVE-2022-46176) Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.(CVE-2023-38497) An update for rust is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High rust https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1237 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-46176 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-38497 https://nvd.nist.gov/vuln/detail/CVE-2022-46176 https://nvd.nist.gov/vuln/detail/CVE-2023-38497 openEuler-22.03-LTS-SP3 rust-1.76.0-1.oe2203sp3.src.rpm rust-debugger-common-1.76.0-1.oe2203sp3.noarch.rpm rust-gdb-1.76.0-1.oe2203sp3.noarch.rpm rust-lldb-1.76.0-1.oe2203sp3.noarch.rpm rust-src-1.76.0-1.oe2203sp3.noarch.rpm cargo-1.76.0-1.oe2203sp3.aarch64.rpm clippy-1.76.0-1.oe2203sp3.aarch64.rpm rust-1.76.0-1.oe2203sp3.aarch64.rpm rust-analyzer-1.76.0-1.oe2203sp3.aarch64.rpm rust-debuginfo-1.76.0-1.oe2203sp3.aarch64.rpm rust-debugsource-1.76.0-1.oe2203sp3.aarch64.rpm rust-help-1.76.0-1.oe2203sp3.aarch64.rpm rust-std-static-1.76.0-1.oe2203sp3.aarch64.rpm rustfmt-1.76.0-1.oe2203sp3.aarch64.rpm cargo-1.76.0-1.oe2203sp3.x86_64.rpm clippy-1.76.0-1.oe2203sp3.x86_64.rpm rust-1.76.0-1.oe2203sp3.x86_64.rpm rust-analyzer-1.76.0-1.oe2203sp3.x86_64.rpm rust-debuginfo-1.76.0-1.oe2203sp3.x86_64.rpm rust-debugsource-1.76.0-1.oe2203sp3.x86_64.rpm rust-help-1.76.0-1.oe2203sp3.x86_64.rpm rust-std-static-1.76.0-1.oe2203sp3.x86_64.rpm rustfmt-1.76.0-1.oe2203sp3.x86_64.rpm Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. 2025-03-07 CVE-2022-46176 openEuler-22.03-LTS-SP3 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N rust security update 2025-03-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1237 Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`. 2025-03-07 CVE-2023-38497 openEuler-22.03-LTS-SP3 High 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H rust security update 2025-03-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1237