rpm package
opensuse/cargo-c&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/cargo-c&distro=openSUSE%20Tumbleweed
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25727 | — | < 0.10.15-2.1 | 0.10.15-2.1 | Feb 6, 2026 | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used | ||
| CVE-2025-58160 | Low | — | < 0.10.3~git0.ee7d7ef-4.1 | 0.10.3~git0.ee7d7ef-4.1 | Aug 29, 2025 | tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i | |
| CVE-2024-12224 | — | < 0.10.3~git0.ee7d7ef-4.1 | 0.10.3~git0.ee7d7ef-4.1 | May 30, 2025 | Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. | ||
| CVE-2025-4574 | Med | 6.5 | < 0.10.3~git0.ee7d7ef-4.1 | 0.10.3~git0.ee7d7ef-4.1 | May 13, 2025 | In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption. | |
| CVE-2025-3416 | Low | 3.7 | < 0.10.3~git0.ee7d7ef-3.1 | 0.10.3~git0.ee7d7ef-3.1 | Apr 8, 2025 | A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string. | |
| CVE-2024-45405 | Med | 6.0 | < 0.10.3~git0.ee7d7ef-2.1 | 0.10.3~git0.ee7d7ef-2.1 | Sep 6, 2024 | `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolv | |
| CVE-2021-45710 | — | < 0.8.1~git0.cce1b08-2.1 | 0.8.1~git0.cce1b08-2.1 | Dec 26, 2021 | An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption. | ||
| CVE-2018-25023 | — | < 0.8.1~git0.cce1b08-2.1 | 0.8.1~git0.cce1b08-2.1 | Dec 26, 2021 | An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type. |
- CVE-2026-25727Feb 6, 2026affected < 0.10.15-2.1fixed 0.10.15-2.1
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used
- affected < 0.10.3~git0.ee7d7ef-4.1fixed 0.10.3~git0.ee7d7ef-4.1
tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i
- CVE-2024-12224May 30, 2025affected < 0.10.3~git0.ee7d7ef-4.1fixed 0.10.3~git0.ee7d7ef-4.1
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.
- affected < 0.10.3~git0.ee7d7ef-4.1fixed 0.10.3~git0.ee7d7ef-4.1
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
- affected < 0.10.3~git0.ee7d7ef-3.1fixed 0.10.3~git0.ee7d7ef-3.1
A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.
- affected < 0.10.3~git0.ee7d7ef-2.1fixed 0.10.3~git0.ee7d7ef-2.1
`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolv
- CVE-2021-45710Dec 26, 2021affected < 0.8.1~git0.cce1b08-2.1fixed 0.8.1~git0.cce1b08-2.1
An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.
- CVE-2018-25023Dec 26, 2021affected < 0.8.1~git0.cce1b08-2.1fixed 0.8.1~git0.cce1b08-2.1
An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type.