cargo audit bin reports RustSec advisories in rustup 1.29.0 binary

[bernardopg]

Summary

cargo audit bin reports RustSec advisories in the currently published rustup 1.29.0 (28d1352db 2026-03-05) binary installed by rustup.

This was found during a local system audit on Arch Linux. rustup update reports rustup itself is already up to date, so there is no user-side update available that clears the advisory report.

Environment

• OS: Arch Linux
• Kernel: 7.0.10-arch1-1
• rustup: rustup 1.29.0 (28d1352db 2026-03-05)
• active rustc: rustc 1.95.0 (59807616e 2026-04-14)
• cargo-audit: cargo-audit 0.22.1

Reproduction

cargo audit bin ~/.cargo/bin/rustup

Reported advisories

• rustls-webpki 0.103.9
  • RUSTSEC-2026-0049
  • RUSTSEC-2026-0098
  • RUSTSEC-2026-0099
  • RUSTSEC-2026-0104
• tar 0.4.44
  • RUSTSEC-2026-0067
  • RUSTSEC-2026-0068
• tracing-subscriber 0.3.19
  • RUSTSEC-2025-0055
• rand 0.9.2 / rand 0.10.0
  • RUSTSEC-2026-0097 warning

cargo audit bin also warns that the binary was not built with cargo-auditable, so the dependency recovery may be incomplete.

Expected outcome

A rebuilt rustup release with patched dependencies, or guidance on whether these findings are known false positives / not applicable to the distributed binary.

I noticed the dependency dashboard and lockfile maintenance PR, but I could not find a dedicated issue tracking the published binary audit result.

[rami3l]

Hello, and thanks for this issue.

We've been trying our best to publish a new version soon: #4862

[bernardopg]

Nice to know!

[djc]

@rami3l should we keep this open to track whether our binaries should be built with cargo-auditable?

[rami3l]

@djc No problem!

Given that this issue in in the "question" category, I'd say we either adjust the title/description accordingly, or just have a separate issue for that.

The original description seems to be addressing multiple concerns at once.