HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.
References
https:…
Impact
According to RFC 4343, Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The Envoy proxy will route the request hostname in a case-insensiti…
ディスプレイのサイズ以外に、AppleがMacBook Proの各モデルで差別化していたのは搭載され…
Affected versions of the pnet crate were optimized out by compiler, which caused dereference of uninitialized file descriptor which caused segfault.
References
https://github.com/libpnet/libpnet/issues/449
https://github.com/libpnet/libpnet/pull/455
h…
An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-38511
https://github.com/al…
Overview
Version 1.2.1 of the libpulse-binding Rust crate, released on the 15th of June 2018, fixed a pair of use-after-free issues with the objects returned by the get_format_info and get_context methods of Stream objects. These objects were mistakenl…
Impact
Affected versions of this crate violated alignment when casting byte slices to integer slices, resulting in undefined behavior. rand_core::BlockRng::next_u64 and rand_core::BlockRng::fill_bytes are affected.
Patches
The flaw was corrected by Ral…
Impact
Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable.
Depending on the implementation (original sendmail, postfix, exim…
An issue was discovered in the ark-r1cs-std crate before 0.3.1 for Rust. It does not enforce any constraints in the FieldVar::mul_by_inverse method. Thus, a prover can produce a proof that is unsound but is nonetheless verified.
References
https://nvd…
An issue was discovered in the prost-types crate before 0.8.0 for Rust. An overflow can occur during conversion from Timestamp to SystemTime.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-38192
https://github.com/tokio-rs/prost/issues/438
https…
