Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump rust version to mitigate CVE-2022-21658 #2255

Merged
merged 1 commit into from
Jan 23, 2022

Conversation

dscottboggs
Copy link
Contributor

CVE-2022-21658 is a vulnerability in the Rust standard library. Updating to the latest rust nightly brings in the changes from Rust 1.58.1 which mitigate this issue.

See also Rust#93110. Crucially, this may require further attention.

Cargo.toml Outdated
@@ -3,7 +3,7 @@ name = "vaultwarden"
version = "1.0.0"
authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
edition = "2021"
rust-version = "1.57"
rust-version = "1.58"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually should be 1.60 since the nightly version 2022-01-23 is that version.
And since this branch needs nightly i think it would be better to change it to v1.60.

@@ -3,7 +3,7 @@
# This file was generated using a Jinja2 template.
# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.

{% set build_stage_base_image = "rust:1.57-buster" %}
{% set build_stage_base_image = "rust:1.58-buster" %}
{% if "alpine" in target_file %}
{% if "amd64" in target_file %}
{% set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-nightly-2021-12-25" %}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should also change the nightly version here.
This prevents downloading the the rust toolchain during building, since it is already installed.
It should be done for all build_stage_base_image parameters.

@dani-garcia dani-garcia merged commit a64a400 into dani-garcia:main Jan 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants