Hey Everyone,
I came across CVE-2023-40030 NVD - cve-2023-40030 , so as described in NVD and few other sites, can we conclude that Rust1.72 and higher are not impacted?
1 Like
jofas
January 21, 2025, 9:26am
2
Yes. You can find more about the vulnerability here:
and the fix here:
rust-lang:master ← ehuss:feature-name-error
opened 06:36PM - 20 Jun 23 UTC
This converts the feature name validation check from a warning to an error. This… was added in #8814 in Rust 1.49 released in 2020-12-31 (about 2.5 years ago) with a warning that it will become a hard error in the future.
These extended characters aren't allowed on crates.io, so this should only impact users of other registries, or people who don't publish to a registry. The warning message requested anyone impacted by it to let us know. We got one report, and added support for . as result. Since there weren't any other reports, I think it should be pretty safe to move forward.
The diff here is a little large because it removes the pass-through of `config` since it isn't needed anymore.
Additionally, the tests were restructured since testing every edge case in an integration test has a lot of overhead. Instead, there is now a unit test which runs much faster, with the integration test just verifying that it fires and checks the two forms of error messages.
Closes #8813
1 Like