We have a security advisory for rustdoc today. Please read and share widely:
The plugin infrastructure predates 1.0 and is not usable on stable or nightly Rust today. Its removal should not impact any Rust users.
Best kind of security bug
Also, kudos for the nicely-phrased “no, Rust doesn’t prevent all bugs” paragraph
Love the way this disclosure is being handled. Kudos to everyone involved.
Excellent handling! Good that you use this low-risk incident as a “dress rehearsal”!
… Rust’s first official CVE, this is somewhat of a milestone for us …
I say we print an award certficate, proudly displaying the CVE-number, on heavy cardstock and post it to the RedHat reporter: “I discovered Rust’s first official CVE”
(After all, aren’t all milestones worth celebrating? )
(btw: This seems like a really good week for Rust, security-wise; first we get the report that the Actix-web-apocalypse has cleaned up practically all their
unsafes, and now our first CVE is handled with such finesse; that’s quite an examplary performance of the Rust Community!)