search

rustyhorde / vergen

Generate cargo instructions at compile time in build scripts for use with the env! or option_env! macros
Apache License 2.0
349 stars 55 forks source link

RUSTSEC-2024-0335 #339

Closed github-actions[bot] closed 2 months ago

github-actions[bot] commented 3 months ago

‼️ RUSTSEC-2024-0335 ‼️

https://rustsec.org/advisories/RUSTSEC-2024-0335

Crate:     gix-transport
Version:   0.41.2
Title:     gix-transport indirect code execution via malicious username
Date:      2024-04-13
ID:        RUSTSEC-2024-0335
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0335
Solution:  Upgrade to >=0.42.0
Dependency tree:
gix-transport 0.41.2
└── gix-protocol 0.44.2
    └── gix 0.61.0
        ├── vergen-gix 1.0.0
        │   └── vergen-pretty 0.3.3
        └── test_util 0.1.1
            ├── vergen-lib 0.1.2
            │   ├── vergen-gix 1.0.0
            │   ├── vergen-gitcl 1.0.0
            │   ├── vergen-git2 1.0.0
            │   └── vergen 9.0.0
            │       ├── vergen-gix 1.0.0
            │       ├── vergen-gitcl 1.0.0
            │       └── vergen-git2 1.0.0
            ├── vergen-gix 1.0.0
            ├── vergen-gitcl 1.0.0
            ├── vergen-git2 1.0.0
            └── vergen 9.0.0
vbrandl commented 2 weeks ago

@rustyhorde could you publish another 8.* release with an updated version of gix? This causes security warnings in my projects, since vergen 8 depends on a vulnerable version of gix.

CraZySacX commented 2 weeks ago

@rustyhorde could you publish another 8.* release with an updated version of gix? This causes security warnings in my projects, since vergen 8 depends on a vulnerable version of gix.

version 8.3.2 has been published.