Will 1.52.0 fix CVE-2021-31162 ?

[zarniwhoop73]

#83618 has a related CVE, CVE-2021-31162.

I see that gentoo have work in progress to patch 1.51.0 for this and other recent CVEs, but the description suggests that versions before 1.53.0 are vulnerable. So, will the fix for this be included in 1.52.0 ? If so, you might wish to dispute the CVE, or at least the details. I see that 1.52.0 is due this week, but alpha is 1.54.0, i.e. 1.53.0 has disappeared.

I note that there have been previous 'patch' releases (e.g. for 1.45) and am disappointed that an apparently very important vulnerability has not mentioned similar treatment. It is bad enough that distributions have to rebuild everything which uses rust in case the vulnerable item was pulled in (just like the old "a vulnerable static zlib version was shipped by many packages" problem from years ago), but not having a fixed release makes claims about security look unviable.

Please correct me if I am wrong.

And yes, this is a security issue, but the CVE is already public and rated as Critical, e.g. https://nvd.nist.gov/

[xry111]

It's backported into beta as 836fef0.

[jyn514]

You can tell by looking at the milestones on the PR:

(and you can find the PR by looking at the issue:
)