SUSE 5180 Published by

A rust, rust1.72 security update has been released for openSUSE Leap 15.4/15.5 and SUSE Linux Enterprise.



SUSE-SU-2023:3722-1: moderate: Security update for rust, rust1.72


# Security update for rust, rust1.72

Announcement ID: SUSE-SU-2023:3722-1
Rating: moderate
References:

* #1214689

Cross-References:

* CVE-2023-40030

CVSS scores:

* CVE-2023-40030 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2023-40030 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:

* Development Tools Module 15-SP4
* Development Tools Module 15-SP5
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15 SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3

An update that solves one vulnerability can now be installed.

## Description:

This update for rust, rust1.72 fixes the following issues:

Changes in rust:

* Update to version 1.72.0 - for details see the rust1.72 package

Changes in rust1.72:

* CVE-2023-40030: fix minor non-exploited issue in cargo (bsc#1214689)

# Version 1.72.0 (2023-08-24)

## Language

* Replace const eval limit by a lint and add an exponential backoff warning
* expand: Change how `#![cfg(FALSE)]` behaves on crate root
* Stabilize inline asm for LoongArch64
* Uplift `clippy::undropped_manually_drops` lint
* Uplift `clippy::invalid_utf8_in_unchecked` lint
* Uplift `clippy::cast_ref_to_mut` lint
* Uplift `clippy::cmp_nan` lint
* resolve: Remove artificial import ambiguity errors
* Don't require associated types with Self: Sized bounds in `dyn Trait`
objects

## Compiler

* Remember names of `cfg`-ed out items to mention them in diagnostics
* Support for native WASM exceptions
* Add support for NetBSD/aarch64-be (big-endian arm64).
* Write to stdout if `-` is given as output file
* Force all native libraries to be statically linked when linking a static
binary
* Add Tier 3 support for `loongarch64-unknown-none*`
* Prevent `.eh_frame` from being emitted for `-C panic=abort`
* Support 128-bit enum variant in debuginfo codegen
* compiler: update solaris/illumos to enable tsan support.

Refer to Rust's platform support page for more information on Rust's tiered
platform support.

## Libraries

* Document memory orderings of `thread::{park, unpark}`
* io: soften ‘at most one write attempt’ requirement in io::Write::write
* Specify behavior of HashSet::insert
* Relax implicit `T: Sized` bounds on `BufReader<T>`,
`BufWriter<T>` and `LineWriter<T>`
* Update runtime guarantee for `select_nth_unstable`
* Return `Ok` on kill if process has already exited
* Implement PartialOrd for `Vec`s over different allocators
* Use 128 bits for TypeId hash
* Don't drain-on-drop in DrainFilter impls of various collections.
* Make `{Arc,Rc,Weak}::ptr_eq` ignore pointer metadata

## Rustdoc

* Allow whitespace as path separator like double colon
* Add search result item types after their name
* Search for slices and arrays by type with `[]`
* Clean up type unification and "unboxing"

## Stabilized APIs

* `impl<T: Send> Sync for mpsc::Sender<T>`
* `impl TryFrom<&OsStr> for &str`
* `String::leak`

These APIs are now stable in const contexts:

* `CStr::from_bytes_with_nul`
* `CStr::to_bytes`
* `CStr::to_bytes_with_nul`
* `CStr::to_str`

## Cargo

* Enable `-Zdoctest-in-workspace` by default. When running each documentation
test, the working directory is set to the root directory of the package the
test belongs to.
* Add support of the "default" keyword to reset previously set `build.jobs`
parallelism back to the default.

## Compatibility Notes

* Alter `Display` for `Ipv6Addr` for IPv4-compatible addresses
* Cargo changed feature name validation check to a hard error. The warning was
added in Rust 1.49. These extended characters aren't allowed on crates.io,
so this should only impact users of other registries, or people who don't
publish to a registry.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2023-3722=1 openSUSE-SLE-15.4-2023-3722=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-3722=1

* Development Tools Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-3722=1

* Development Tools Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-3722=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* cargo1.72-1.72.0-150400.9.3.1
* cargo1.72-debuginfo-1.72.0-150400.9.3.1
* rust1.72-debuginfo-1.72.0-150400.9.3.1
* cargo-1.72.0-150400.24.24.1
* rust-1.72.0-150400.24.24.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586 nosrc)
* rust1.72-1.72.0-150400.9.3.1
* openSUSE Leap 15.4 (nosrc)
* rust1.72-test-1.72.0-150400.9.3.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* cargo1.72-1.72.0-150400.9.3.1
* cargo1.72-debuginfo-1.72.0-150400.9.3.1
* rust1.72-debuginfo-1.72.0-150400.9.3.1
* cargo-1.72.0-150400.24.24.1
* rust-1.72.0-150400.24.24.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 nosrc)
* rust1.72-1.72.0-150400.9.3.1
* Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* cargo1.72-1.72.0-150400.9.3.1
* cargo1.72-debuginfo-1.72.0-150400.9.3.1
* rust1.72-debuginfo-1.72.0-150400.9.3.1
* cargo-1.72.0-150400.24.24.1
* rust-1.72.0-150400.24.24.1
* Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64 nosrc)
* rust1.72-1.72.0-150400.9.3.1
* Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* cargo1.72-1.72.0-150400.9.3.1
* cargo1.72-debuginfo-1.72.0-150400.9.3.1
* rust1.72-debuginfo-1.72.0-150400.9.3.1
* cargo-1.72.0-150400.24.24.1
* rust-1.72.0-150400.24.24.1
* Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64 nosrc)
* rust1.72-1.72.0-150400.9.3.1

## References:

* https://www.suse.com/security/cve/CVE-2023-40030.html
* https://bugzilla.suse.com/show_bug.cgi?id=1214689