Date: Mon, 6 Nov 2023 23:20:08 +0100 From: Pietro Albini <pietro@...troalbini.org> To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com Subject: Re: CVE-2022-46176: Cargo does not check SSH host keys Hello all, > I think the libgit2 issue was never brought to oss-security, so I am > passing its mention to here now. Also per that thread, CVE-2022-46176 > is only for the Cargo issue. libgit2 was supposed to get its own CVE, > but no one in the thread knew whether they actually did. The Rust project was in contact with the libgit2 maintainers to coordinate the two disclosures (that's why we mentioned it in the distros email), but some miscommunication happened and the libgit2 side of the advisory didn't end up being posted here by its maintainers. libgit2's advisory is available here, and has CVE-2023-22742 assigned to it: https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq > I don't know whether libgit2 was actually fixed on that date as planned. The libgit2 advisory and fix ended up being published later, on January 20th. Pietro. Rust Security Response WG
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.