Your message dated Thu, 8 May 2025 16:57:07 +0200 with message-id <01705a07-18ce-4d29-8728-657ae143d12a@debian.org> and subject line Re: Bug#1104114: unblock: rustc/1.85.0+dfsg3-1 has caused the Debian Bug report #1104114, regarding unblock: rustc/1.85.0+dfsg3-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1104114: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104114 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: "Debian Bug Tracking System" <submit@bugs.debian.org>
- Subject: unblock: rustc/1.85.0+dfsg3-1
- From: Fabian Grünbichler <debian@fabian.gruenbichler.email>
- Date: Fri, 25 Apr 2025 21:28:12 +0200
- Message-id: <e1d7de5c-bd23-4865-b254-dd4358ab1ce0@app.fastmail.com>
Package: release.debian.org Severity: normal X-Debbugs-Cc: rustc@packages.debian.org, debian-rust@lists.debian.org, debian@fabian.gruenbichler.email Control: affects -1 + src:rustc User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package rustc [ Reason ] The update is a targeted fix for two security issues: * backport fix for gix-features CVE-2025-31130 which implements collision-resistant SHA1 in the vendored copy of the gix stack used by cargo * cherry-pick fix for crossbeam-channel RUSTSEC-2025-0024 which fixes a double free in a synchronisation primitive in the std lib (which is actually a fork of the crossbeam-channel crate) and one other trivial bug that would be annoying to have in Trixie: * rust-lldb: fix lldb version (Closes: #1100950) [ Impact ] The issues mentioned above would not be fixed, making the rust-lldb package broken, cargo at risk of SHA-1 collision attacks if using gix for fetching crates.io index data or crate sources via git references, and code compiled using rustc that uses the affected part of the std lib at risk of running into the double free. [ Tests ] The quite extensive rustc test suite has been run as part of the build and has shown no regression. The two security fixes are based on upstream fixes and are almost bit-identical to the versions used to fix their standalone crate packages. The rust-lldb change was manually tested by me. [ Risks ] The gix change is probably the biggest part of this update, as it completely changes the SHA-1 implementation used. In case a problem is found with it, cargo can be forced to use CLI git for git operations as a workaround. The replacement crate is written by a reputable upstream and hasn't seen major changes in over a year, so the associated risk should still be fairly low. It also has been packaged as standalone crate in Debian, successfully being built on all architectures including passing autopkgtests, with no patches required so far. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock rustc/1.85.0+dfsg3-1
--- End Message ---
--- Begin Message ---
- To: Fabian Grünbichler <debian@fabian.gruenbichler.email>, 1104114-done@bugs.debian.org
- Subject: Re: Bug#1104114: unblock: rustc/1.85.0+dfsg3-1
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 8 May 2025 16:57:07 +0200
- Message-id: <01705a07-18ce-4d29-8728-657ae143d12a@debian.org>
- In-reply-to: <3638715e-af2d-4d76-b8e2-b1aea7946b9d@debian.org>
- References: <e1d7de5c-bd23-4865-b254-dd4358ab1ce0@app.fastmail.com> <3638715e-af2d-4d76-b8e2-b1aea7946b9d@debian.org>
Hi, On 26-04-2025 12:41, Paul Gevers wrote:On 25-04-2025 21:28, Fabian Grünbichler wrote:Please unblock package rustcAnd this migrated to testing. PaulAttachment: OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---