[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
Both python-maturin and rust-cargo-vendor-filterer are failing to build due to updates to their dependencies in the Archive. The options were (1) to try and update their dependencies or (2) just mark them as Won't Fix. Since updating dependencies can break the packages in hard-to-predict ways, and since Questing will become unsupported in July, I'll mark those two packages as Won't Fix. ** Changed in: python-maturin (Ubuntu Questing) Status: New => Won't Fix ** Changed in: rust-cargo-vendor-filterer (Ubuntu Questing) Status: New => Won't Fix ** Changed in: python-maturin (Ubuntu) Status: New => Fix Released ** Changed in: rust-cargo-outdated (Ubuntu) Status: New => Fix Released ** Changed in: rust-cargo-vendor-filterer (Ubuntu) Status: New => Fix Released ** Changed in: rust-debcargo (Ubuntu) Status: New => Fix Released ** Changed in: rust-magic-wormhole-cli (Ubuntu) Status: New => Fix Released ** Changed in: rust-procs (Ubuntu) Status: New => Fix Released ** Changed in: rust-rebuildctl (Ubuntu) Status: New => Fix Released ** Changed in: rust-repro-env (Ubuntu) Status: New => Fix Released ** Changed in: sccache (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** Changed in: elan (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: python-maturin (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: ripgrep-all (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-cargo-c (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-cargo-outdated (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-cargo-vendor-filterer (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-debcargo (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-magic-wormhole-cli (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-procs (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-rebuildctl (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-repro-env (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rustup (Ubuntu) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: elan (Ubuntu Jammy) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-debcargo (Ubuntu Jammy) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: elan (Ubuntu Noble) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: python-maturin (Ubuntu Noble) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-cargo-outdated (Ubuntu Noble) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-debcargo (Ubuntu Noble) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-repro-env (Ubuntu Noble) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rustup (Ubuntu Noble) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: sccache (Ubuntu Noble) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: elan (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: python-maturin (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-cargo-outdated (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-cargo-vendor-filterer (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-debcargo (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-magic-wormhole-cli (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-procs (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-rebuildctl (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-repro-env (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rustup (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: sccache (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: elan (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: python-maturin (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: ripgrep-all (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-cargo-outdated (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-cargo-vendor-filterer (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-debcargo (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-magic-wormhole-cli (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-procs (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-rebuildctl (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rust-repro-env (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: rustup (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: elan (Ubuntu) Status: New => Fix Released ** Changed in: ripgrep-all (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] h
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** Changed in: warp (Ubuntu Questing) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: warp (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package rust-rebuildctl - 0.25.0-3build1 --- rust-rebuildctl (0.25.0-3build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:26:19 -0300 ** Changed in: rust-repro-env (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package sccache - 0.13.0+ds-3build1 --- sccache (0.13.0+ds-3build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:27:25 -0300 ** Changed in: warp (Ubuntu Resolute) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package warp - 0.9.2-7build1 --- warp (0.9.2-7build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:27:33 -0300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package rust-magic-wormhole-cli - 0.7.6-1build1 --- rust-magic-wormhole-cli (0.7.6-1build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:25:47 -0300 ** Changed in: rust-procs (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package rust-repro-env - 0.4.3-4build1 --- rust-repro-env (0.4.3-4build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:26:27 -0300 ** Changed in: sccache (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package rust-procs - 0.14.10-5build1 --- rust-procs (0.14.10-5build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:26:03 -0300 ** Changed in: rust-rebuildctl (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package rust-debcargo - 2.8.2-1build1 --- rust-debcargo (2.8.2-1build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:24:59 -0300 ** Changed in: rust-magic-wormhole-cli (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package rust-cargo-vendor-filterer - 0.5.16-0ubuntu3 --- rust-cargo-vendor-filterer (0.5.16-0ubuntu3) resolute; urgency=medium * Bump dependencies cargo-lock and cargo-metadata to re-enable builds (LP: #2148332) -- Ruan Comelli Tue, 21 Apr 2026 21:41:38 -0300 ** Changed in: rust-debcargo (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package rust-cargo-outdated - 0.17.0-2build1 --- rust-cargo-outdated (0.17.0-2build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:24:35 -0300 ** Changed in: rust-cargo-vendor-filterer (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package python-maturin - 1.9.4-5build1 --- python-maturin (1.9.4-5build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:24:10 -0300 ** Changed in: ripgrep-all (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package ripgrep-all - 0.10.10+dfsg-2build1 --- ripgrep-all (0.10.10+dfsg-2build1) resolute; urgency=medium * No-change rebuild to fix LP: #2148332 -- Ruan Comelli Wed, 15 Apr 2026 10:24:19 -0300 ** Changed in: rust-cargo-outdated (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
This bug was fixed in the package elan - 4.1.2-3.1ubuntu1 --- elan (4.1.2-3.1ubuntu1) resolute; urgency=medium * Bump dependency librust-dirs-5+default-dev with librust-dirs-6+default-dev to re-enable builds (LP: #2148332) -- Ruan Comelli Mon, 20 Apr 2026 14:48:45 -0300 ** Changed in: elan (Ubuntu Resolute) Status: New => Fix Released ** Changed in: python-maturin (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** Changed in: warp (Ubuntu Resolute) Milestone: None => resolute-updates ** Changed in: sccache (Ubuntu Resolute) Milestone: None => resolute-updates ** Changed in: sccache (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) ** Changed in: warp (Ubuntu Resolute) Status: New => In Progress ** Changed in: warp (Ubuntu Resolute) Assignee: (unassigned) => Ruan Comelli (ruancomelli) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
The following rebuilds have now been published: Locating elan ... Publishing elan 3.1.1-6ubuntu0.1 to ubuntu/primary questing (Security)... Publishing elan 3.1.0-1ubuntu0.1 to ubuntu/primary noble (Security)... Publishing elan 1.3.1-3ubuntu0.1 to ubuntu/primary jammy (Security)... Locating python-maturin ... Publishing python-maturin 1.3.2-1ubuntu0.1 to ubuntu/primary noble (Security)... Locating rust-cargo-c ... Publishing rust-cargo-c 0.9.19-2ubuntu0.1 to ubuntu/primary noble (Security)... Locating rust-cargo-outdated ... Publishing rust-cargo-outdated 0.17.0-1ubuntu0.1 to ubuntu/primary questing (Security)... Publishing rust-cargo-outdated 0.14.0-2ubuntu0.1 to ubuntu/primary noble (Security)... Locating rust-debcargo ... Publishing rust-debcargo 2.7.11-1ubuntu0.1 to ubuntu/primary questing (Security)... Publishing rust-debcargo 2.6.1-5ubuntu0.1 to ubuntu/primary noble (Security)... Publishing rust-debcargo 2.5.0-2ubuntu0.2 to ubuntu/primary jammy (Security)... Locating rust-magic-wormhole-cli ... Publishing rust-magic-wormhole-cli 0.7.6-1ubuntu0.25.10.1 to ubuntu/primary questing (Security)... Locating rust-procs ... Publishing rust-procs 0.14.10-3ubuntu0.1 to ubuntu/primary questing (Security)... Locating rust-rebuildctl ... Publishing rust-rebuildctl 0.24.0-1ubuntu0.1 to ubuntu/primary questing (Security)... Locating rust-repro-env ... Publishing rust-repro-env 0.4.3-2ubuntu0.1 to ubuntu/primary questing (Security)... Publishing rust-repro-env 0.4.0-1ubuntu0.1 to ubuntu/primary noble (Security)... Locating rustup ... Publishing rustup 1.27.1-3ubuntu0.1 to ubuntu/primary questing (Security)... Publishing rustup 1.26.0-5ubuntu0.1 to ubuntu/primary noble (Security)... Locating sccache ... Publishing sccache 0.10.0-7ubuntu0.1 to ubuntu/primary questing (Security)... Publishing sccache 0.7.7-2ubuntu0.1 to ubuntu/primary noble (Security)... Locating warp ... Publishing warp 0.9.2-4ubuntu0.1 to ubuntu/primary questing (Security)... python-maturin and rust-cargo-vendor-filterer could not be rebuilt on questing due to dependency issues. ** Changed in: elan (Ubuntu Jammy) Status: New => Fix Released ** Changed in: elan (Ubuntu Noble) Status: New => Fix Released ** Changed in: elan (Ubuntu Questing) Status: New => Fix Released ** Changed in: python-maturin (Ubuntu Noble) Status: New => Fix Released ** Changed in: rust-cargo-c (Ubuntu) Status: New => Fix Released ** Changed in: rust-cargo-outdated (Ubuntu Noble) Status: New => Fix Released ** Changed in: rust-cargo-outdated (Ubuntu Questing) Status: New => Fix Released ** Changed in: rust-debcargo (Ubuntu Jammy) Status: New => Fix Released ** Changed in: rust-debcargo (Ubuntu Noble) Status: New => Fix Released ** Changed in: rust-debcargo (Ubuntu Questing) Status: New => Fix Released ** Changed in: rust-magic-wormhole-cli (Ubuntu Questing) Status: New => Fix Released ** Changed in: rust-procs (Ubuntu Questing) Status: New => Fix Released ** Changed in: rust-rebuildctl (Ubuntu Questing) Status: New => Fix Released ** Changed in: rust-repro-env (Ubuntu Noble) Status: New => Fix Released ** Changed in: rust-repro-env (Ubuntu Questing) Status: New => Fix Released ** Changed in: rustup (Ubuntu Noble) Status: New => Fix Released ** Changed in: rustup (Ubuntu Questing) Status: New => Fix Released ** Changed in: sccache (Ubuntu Noble) Status: New => Fix Released ** Changed in: sccache (Ubuntu Questing) Status: New => Fix Released ** Changed in: warp (Ubuntu Questing) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
A new rustup version was synced from Debian, and the build logs confirm that the patched librust-tar-0.4-dev version was pulled. ** Changed in: rustup (Ubuntu Resolute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** Tags added: foundations-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** No longer affects: rust-upstream-ontologist (Ubuntu Questing) ** No longer affects: rust-syn-1 (Ubuntu Resolute) ** No longer affects: rust-syn-1 (Ubuntu Noble) ** No longer affects: rust-syn-1 (Ubuntu Questing) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** No longer affects: rust-upstream-ontologist (Ubuntu Resolute) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** No longer affects: rust-cargo (Ubuntu) ** Changed in: rust-cargo-c (Ubuntu) Milestone: None => noble-updates ** No longer affects: rust-cargo-test-support (Ubuntu) ** No longer affects: rust-dockworker (Ubuntu) ** No longer affects: rust-fomat-macros (Ubuntu) ** No longer affects: rust-cargo-test-support (Ubuntu Questing) ** No longer affects: rust-cargo (Ubuntu Jammy) ** No longer affects: rust-cargo (Ubuntu Noble) ** No longer affects: rust-cargo (Ubuntu Questing) ** No longer affects: rust-cargo (Ubuntu Resolute) ** No longer affects: rust-cargo-test-support (Ubuntu Resolute) ** No longer affects: rust-dockworker (Ubuntu Questing) ** No longer affects: rust-dockworker (Ubuntu Resolute) ** No longer affects: rust-gix (Ubuntu) ** No longer affects: rust-gix (Ubuntu Questing) ** No longer affects: rust-fomat-macros (Ubuntu Noble) ** No longer affects: rust-fomat-macros (Ubuntu Questing) ** No longer affects: rust-fomat-macros (Ubuntu Resolute) ** No longer affects: rust-gix (Ubuntu Resolute) ** No longer affects: rust-gix-archive (Ubuntu) ** No longer affects: rust-magic-wormhole (Ubuntu) ** No longer affects: rust-magic-wormhole (Ubuntu Resolute) ** No longer affects: rust-magic-wormhole (Ubuntu Questing) ** No longer affects: rust-gix-archive (Ubuntu Questing) ** No longer affects: rust-proc-macro2 (Ubuntu) ** No longer affects: rust-gix-archive (Ubuntu Resolute) ** No longer affects: rust-proc-macro2 (Ubuntu Questing) ** No longer affects: rust-python-pkginfo (Ubuntu) ** No longer affects: rust-ripasso (Ubuntu) ** No longer affects: rust-rust-unixfs (Ubuntu) ** No longer affects: rust-syn-1 (Ubuntu) ** No longer affects: rust-upstream-ontologist (Ubuntu) ** No longer affects: rust-proc-macro2 (Ubuntu Resolute) ** No longer affects: rust-python-pkginfo (Ubuntu Noble) ** No longer affects: rust-python-pkginfo (Ubuntu Questing) ** No longer affects: rust-python-pkginfo (Ubuntu Resolute) ** No longer affects: rust-ripasso (Ubuntu Noble) ** No longer affects: rust-ripasso (Ubuntu Questing) ** No longer affects: rust-ripasso (Ubuntu Resolute) ** No longer affects: rust-rust-unixfs (Ubuntu Noble) ** No longer affects: rust-rust-unixfs (Ubuntu Questing) ** No longer affects: rust-rust-unixfs (Ubuntu Resolute) ** No longer affects: rust-syn (Ubuntu Noble) ** No longer affects: rust-syn (Ubuntu Questing) ** No longer affects: rust-syn (Ubuntu Resolute) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** No longer affects: rust-syn (Ubuntu Focal) ** No longer affects: rust-fomat-macros (Ubuntu Jammy) ** No longer affects: rust-syn (Ubuntu Jammy) ** No longer affects: rust-syn (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** No longer affects: rust-libsodium-sys (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** Tags added: patch resolute ** Merge proposal linked: https://code.launchpad.net/~ruancomelli/ubuntu/+source/python-maturin/+git/python-maturin/+merge/503734 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** No longer affects: rust-python-pkginfo (Ubuntu Focal) ** No longer affects: rust-python-pkginfo (Ubuntu Jammy) ** No longer affects: rust-repro-env (Ubuntu Focal) ** No longer affects: rust-repro-env (Ubuntu Jammy) ** No longer affects: rust-ripasso (Ubuntu Focal) ** No longer affects: rust-ripasso (Ubuntu Jammy) ** No longer affects: rust-rust-unixfs (Ubuntu Focal) ** No longer affects: rust-rust-unixfs (Ubuntu Jammy) ** No longer affects: rust-syn-1 (Ubuntu Focal) ** No longer affects: rust-syn-1 (Ubuntu Jammy) ** No longer affects: rustup (Ubuntu Focal) ** No longer affects: rustup (Ubuntu Jammy) ** No longer affects: sccache (Ubuntu Focal) ** No longer affects: sccache (Ubuntu Jammy) ** No longer affects: rust-cargo-test-support (Ubuntu Focal) ** No longer affects: rust-cargo-test-support (Ubuntu Jammy) ** No longer affects: rust-cargo-test-support (Ubuntu Noble) ** No longer affects: rust-cargo-vendor-filterer (Ubuntu Focal) ** No longer affects: rust-cargo-vendor-filterer (Ubuntu Jammy) ** No longer affects: rust-cargo-vendor-filterer (Ubuntu Noble) ** No longer affects: rust-dockworker (Ubuntu Focal) ** No longer affects: rust-dockworker (Ubuntu Jammy) ** No longer affects: rust-dockworker (Ubuntu Noble) ** No longer affects: rust-gix (Ubuntu Focal) ** No longer affects: rust-gix (Ubuntu Jammy) ** No longer affects: rust-gix (Ubuntu Noble) ** No longer affects: rust-gix-archive (Ubuntu Focal) ** No longer affects: rust-gix-archive (Ubuntu Jammy) ** No longer affects: rust-gix-archive (Ubuntu Noble) ** No longer affects: rust-magic-wormhole (Ubuntu Focal) ** No longer affects: rust-magic-wormhole (Ubuntu Jammy) ** No longer affects: rust-magic-wormhole (Ubuntu Noble) ** No longer affects: rust-magic-wormhole-cli (Ubuntu Focal) ** No longer affects: rust-magic-wormhole-cli (Ubuntu Jammy) ** No longer affects: rust-magic-wormhole-cli (Ubuntu Noble) ** No longer affects: rust-proc-macro2 (Ubuntu Focal) ** No longer affects: rust-proc-macro2 (Ubuntu Jammy) ** No longer affects: rust-proc-macro2 (Ubuntu Noble) ** No longer affects: rust-procs (Ubuntu Focal) ** No longer affects: rust-procs (Ubuntu Jammy) ** No longer affects: rust-procs (Ubuntu Noble) ** No longer affects: rust-rebuildctl (Ubuntu Focal) ** No longer affects: rust-rebuildctl (Ubuntu Jammy) ** No longer affects: rust-rebuildctl (Ubuntu Noble) ** No longer affects: rust-upstream-ontologist (Ubuntu Focal) ** No longer affects: rust-upstream-ontologist (Ubuntu Jammy) ** No longer affects: rust-upstream-ontologist (Ubuntu Noble) ** No longer affects: warp (Ubuntu Focal) ** No longer affects: warp (Ubuntu Jammy) ** No longer affects: warp (Ubuntu Noble) ** No longer affects: ripgrep-all (Ubuntu Focal) ** No longer affects: ripgrep-all (Ubuntu Jammy) ** No longer affects: ripgrep-all (Ubuntu Noble) ** No longer affects: ripgrep-all (Ubuntu Questing) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** No longer affects: rust-libsodium-sys (Ubuntu) ** Also affects: rust-libsodium-sys (Ubuntu) Importance: Undecided Status: New ** No longer affects: rust-libsodium-sys (Ubuntu Noble) ** No longer affects: rust-libsodium-sys (Ubuntu Questing) ** No longer affects: rust-libsodium-sys (Ubuntu Resolute) ** No longer affects: rust-cargo (Ubuntu Focal) ** No longer affects: rust-debcargo (Ubuntu Focal) ** No longer affects: rust-fomat-macros (Ubuntu Focal) ** Also affects: rust-cargo-c (Ubuntu) Importance: Undecided Status: New ** No longer affects: rust-cargo-outdated (Ubuntu Focal) ** No longer affects: rust-cargo-outdated (Ubuntu Jammy) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** Also affects: rust-cargo-outdated (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-cargo-test-support (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-cargo-vendor-filterer (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-debcargo (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-dockworker (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-fomat-macros (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-gix (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-gix-archive (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-magic-wormhole (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-magic-wormhole-cli (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-proc-macro2 (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-procs (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-python-pkginfo (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-rebuildctl (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-repro-env (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-ripasso (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-rust-unixfs (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-syn (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-syn-1 (Ubuntu) Importance: Undecided Status: New ** Also affects: rust-upstream-ontologist (Ubuntu) Importance: Undecided Status: New ** Also affects: rustup (Ubuntu) Importance: Undecided Status: New ** Also affects: sccache (Ubuntu) Importance: Undecided Status: New ** Also affects: warp (Ubuntu) Importance: Undecided Status: New ** No longer affects: elan (Ubuntu Focal) ** No longer affects: python-maturin (Ubuntu Focal) ** No longer affects: python-maturin (Ubuntu Jammy) ** Also affects: rust-libsodium-sys (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2148332] Re: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code
** Also affects: ripgrep-all (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
