Source: rust-tokio X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for rust-tokio. I haven't checked this is a Windows-specific issue or whether rust-tokio as packaged in Debian would also be affected if e.g. operating on a Samba share: CVE-2023-22466[0]: | Tokio is a runtime for writing applications with Rust. Starting with | version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when | configuring a Windows named pipe server, setting `pipe_mode` will | reset `reject_remote_clients` to `false`. If the application has | previously configured `reject_remote_clients` to `true`, this | effectively undoes the configuration. Remote clients may only access | the named pipe if the named pipe's associated path is accessible via a | publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have | been patched. The fix will also be present in all releases starting | from version 1.24.0. Named pipes were introduced to Tokio in version | 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, | ensure that `pipe_mode` is set first after initializing a | `ServerOptions`. https://rustsec.org/advisories/RUSTSEC-2023-0001.html https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22466 https://www.cve.org/CVERecord?id=CVE-2023-22466 Please adjust the affected versions in the BTS as needed.