New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update rust crate lru #5132
Comments
Description: A CVE was discovered in the Rust create lru that 389-ds-base was using. CVE-2021-45720 bundled lru: Use after free in lru crate https://bugzilla.redhat.com/show_bug.cgi?id=2044430 relates: 389ds#5132 Reviewed by: ?
Description: A CVE was discovered in the Rust create lru that 389-ds-base was using. CVE-2021-45720 bundled lru: Use after free in lru crate https://bugzilla.redhat.com/show_bug.cgi?id=2044430 relates: #5132 Reviewed by: ?
Description: A CVE was discovered in the Rust create lru that 389-ds-base was using. CVE-2021-45720 bundled lru: Use after free in lru crate https://bugzilla.redhat.com/show_bug.cgi?id=2044430 relates: #5132 Reviewed by: ?
Description: A CVE was discovered in the Rust create lru that 389-ds-base was using. CVE-2021-45720 bundled lru: Use after free in lru crate https://bugzilla.redhat.com/show_bug.cgi?id=2044430 relates: #5132 Reviewed by: ?
I'm doing builds for EPEL8 and I ran into problems with concread and lru crates: So we either have a broken build or a vulnerable one. I have a silly patch that changes edition in Cargo.toml for concread to 2018 and updates checksums. But I'm open to other suggestions. |
We have to leave it vulnerable in EPEL I suspect, as it needs to be fixed in Fedora where the original CVE was found.
Not sure what else we can do besides wait for el8.6 (or el9?). I did see that we had pinned the version to 0.2.20, but I thought that was for RHEL, not EPEL. What is this patch you have, can we see it? |
Here's the patch: https://src.fedoraproject.org/rpms/389-ds-base/blob/stable/f/concread-use-2018-edition.patch |
Bug Description: an update to concread changed how the cache was constructed and how stats are used. Fix Description: Update to adapt to these changes. Additionally this update has a number of performance improvements. fixes: #5046 Author: William Brown <william@blackhats.net.au> Review by: @vashirov, @droideck
Issue Description
A CVE was discovered in the Rust create lru that 389-ds-base was using.
CVE-2021-45720 389-ds-base: bundled lru: Use after free in lru crate
https://bugzilla.redhat.com/show_bug.cgi?id=2044430
The text was updated successfully, but these errors were encountered: