Bump rust version to mitigate CVE-2022-21658 #2255
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BlackDex
requested changes
Jan 23, 2022
Cargo.toml
Outdated
| @@ -3,7 +3,7 @@ name = "vaultwarden" | |||
| version = "1.0.0" | |||
| authors = ["Daniel García <[email protected]>"] | |||
| edition = "2021" | |||
| rust-version = "1.57" | |||
| rust-version = "1.58" | |||
There was a problem hiding this comment.
This actually should be 1.60 since the nightly version 2022-01-23 is that version.
And since this branch needs nightly i think it would be better to change it to v1.60.
| @@ -3,7 +3,7 @@ | |||
| # This file was generated using a Jinja2 template. | |||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | |||
|
|
|||
| {% set build_stage_base_image = "rust:1.57-buster" %} | |||
| {% set build_stage_base_image = "rust:1.58-buster" %} | |||
| {% if "alpine" in target_file %} | |||
| {% if "amd64" in target_file %} | |||
| {% set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-nightly-2021-12-25" %} | |||
There was a problem hiding this comment.
You should also change the nightly version here.
This prevents downloading the the rust toolchain during building, since it is already installed.
It should be done for all build_stage_base_image parameters.
dscottboggs
force-pushed
the
fix/CVE-2022-21658
branch
from
e4f39d7
to
85c0aa1
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CVE-2022-21658 is a vulnerability in the Rust standard library. Updating to the latest rust nightly brings in the changes from Rust 1.58.1 which mitigate this issue.
See also Rust#93110. Crucially, this may require further attention.