История изменений
Исправление Lrrr, (текущая версия) :
нашел тут список историй успеха: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust
Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH
It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a «zip bomb»)
современный, инновационный, лучший в своем классе менеджер пакетов
We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities
это на фоне того, что оно ssh-ключи не проверяет
Cap’n Proto’s Rust implementation … are vulnerable to out-of-bounds read due to logic error handling list-of-list
там вроде где-то написали, что «rust enforces bounds checks»?
totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time
безопасная генерация кодов для 2FA
An issue was discovered in the lru crate before 0.7.1 for Rust. The iterators have a use-after-free
безопасная работа с памятью в лефтпаде
и т.д. и т.п.
Исходная версия Lrrr, :
нашел тут список историй успеха: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust
Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH
It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a «zip bomb»)
современный, инновационный, лучший в своем классе менеджер пакетов
Cap’n Proto’s Rust implementation … are vulnerable to out-of-bounds read due to logic error handling list-of-list
там вроде где-то написали, что «rust enforces bounds checks»?
totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time
безопасная генерация кодов для 2FA
An issue was discovered in the lru crate before 0.7.1 for Rust. The iterators have a use-after-free
безопасная работа с памятью в лефтпаде
и т.д. и т.п.