RustSec

Rust is the fastest growing language on GitHub, and GitHub’s supply chain security features now help keep your Rust projects secure 🔒 https://t.co/c1TPjt9O2C

https://t.co/2MAqmT0NqO Comparing Rust supply chain safety tools

A malicious crate was uploaded to https://t.co/16Cy1fC9uP, targeting GitLab CI environments. Read more on the security advisory: https://t.co/GK487P32SF

The regex crate is vulnerable to denial of service attacks when parsing untrusted regexes (CVE-2022-24713). We released version 1.5.5, fixing the issue. Read the advisory: https://t.co/RO1pHDMBhT

The std::fs::remove_dir_all function in the Rust standard library is vulnerable to a race condition (CVE-2022-21658). We will release Rust 1.58.1 with the fix later today. Read the advisory: https://t.co/LtsRuDoANh

This is the first year that we've ever seen fewer advisories filed than the previous year! One reason why is because the bulk of advisories for vulnerabilities discovered by the Rudra static code analyzer were filed in 2020 https://t.co/0zw2uDN3YU

We have a security advisory for rustc today: https://t.co/7DErzVlHey We will have a 1.56.1 release out soon.

Heads up Rustsceans! You might have recently gotten a security vulnerability notification for RUSTSEC-2020-0071: a potential segfault impacting `time` v0.1 (cont’d) https://t.co/iyiUdXVJT3

Unfortunately we don’t have clear guidance for what to do. It impacts several major ecosystem crates including `chrono`. For the latest information, see the upstream issue on `time`: https://t.co/Tptk9M4y8W

This isn’t a false positive, but rather a case where the advisory has been updated to include earlier versions of the `time` crate. Unfortunately the fix is only in `time` v0.2, and it’s unclear if it can be backported to v0.1 due to API constraints.

@bodil question about the im/im-rc crates: we have a request to mark them as unmaintained in the RustSec Advisory Database: https://t.co/NP3datpdFt Is that ok? If you have any objections whatsoever we'll close the PR.