Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 6 Nov 2023 23:20:08 +0100
From: Pietro Albini <pietro@...troalbini.org>
To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com
Subject: Re: CVE-2022-46176: Cargo does not check SSH host keys

Hello all,

 > I think the libgit2 issue was never brought to oss-security, so I am
 > passing its mention to here now.  Also per that thread, CVE-2022-46176
 > is only for the Cargo issue.  libgit2 was supposed to get its own CVE,
 > but no one in the thread knew whether they actually did.

The Rust project was in contact with the libgit2 maintainers to coordinate the 
two disclosures (that's why we mentioned it in the distros email), but some 
miscommunication happened and the libgit2 side of the advisory didn't end up 
being posted here by its maintainers.

libgit2's advisory is available here, and has CVE-2023-22742 assigned to it:

https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq

 > I don't know whether libgit2 was actually fixed on that date as planned.

The libgit2 advisory and fix ended up being published later, on January 20th.

Pietro.
Rust Security Response WG

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.