Hi Fabian, On Sat, Feb 14, 2026 at 10:40:49AM +0100, Fabian Grünbichler wrote: > On Mon, 05 Jan 2026 17:38:15 +0100 Salvatore Bonaccorso <[email protected]> > wrote: > > Source: rust-gix-date > > Version: 0.9.3-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/GitoxideLabs/gitoxide/issues/2305 > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi > > > > From https://rustsec.org/advisories/RUSTSEC-2025-0140.html: > > | The function gix_date::parse::TimeBuf::as_str can create an illegal > > | string containing non-utf8 characters. This violates the safety > > | invariant of TimeBuf and can lead to undefined behavior when consuming > > | the string. > > | > > | The bug can be prevented by adding str::from_utf8 to the function > > | TimeBuf::write. > > FWIW, upstream considers this a non-issue within the reference frame of > gitoxide[0], for which this crate was packaged (it's used by cargo). As such, > I think we can wait for the upgrade to 0.12 to happen naturally (which > will still take a bit), and not considers this issue important. > > If you disagree, and want the Rust team to evaluate backporting the fix, > please say so!
Yes sounds good, thank you. FWIW, we marked it as well no-dsa for trixie. Regards, Salvatore
