Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-16760 does not disambiguate between the cargo lib and the cargo bin #1111

Closed
lu-zero opened this issue Nov 25, 2021 · 3 comments
Closed

Comments

@lu-zero
Copy link

lu-zero commented Nov 25, 2021

cargo latest version is 0.57, the cve marks as insecure any version before 1.26.

Please change the db to point to 0.25 instead.

@tarcieri
Copy link
Member

tarcieri commented Nov 29, 2021

The advisories filed in the rust/ directory are versioned according to the Rust releases, and not the crate version numbers used by the respective subprojects. Likewise, the associated wording for the advisories uses those version numbers as well.

We have, on occasion, thought about making associated advisories in the crates/ directory, which could use the crate version numbers instead.

@lu-zero
Copy link
Author

lu-zero commented Nov 29, 2021

Something in deps.rs seems to pick the version wrong. I guess I should report about it there then. Sorry for the noise.

@pinkforest
Copy link
Contributor

There is a wider discussion around what to do with the rust/ directory in future here incl. rustc
#1353

Closing this old issue - re-open if we need to do something around this specifically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants