Bug#1103988: marked as done (rust-tokio: RUSTSEC-2025-0023: Broadcast channel calls clone in parallel, but does not require Sync)

[Debian Bug Tracking System]

Your message dated Wed, 23 Apr 2025 16:50:15 +0000
with message-id <e1u7did-00dhbt...@fasolo.debian.org>
and subject line Bug#1103988: fixed in rust-tokio 1.43.1-1
has caused the Debian Bug report #1103988,
regarding rust-tokio: RUSTSEC-2025-0023: Broadcast channel calls clone in 
parallel, but does not require Sync
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1103988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103988
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: rust-tokio
Version: 1.43.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/tokio-rs/tokio/pull/7232
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi

As reported in https://github.com/tokio-rs/tokio/pull/7232 and
https://rustsec.org/advisories/RUSTSEC-2025-0023.html:

| The broadcast channel internally calls clone on the stored value when
| receiving it, and only requires T:Send. This means that using the
| broadcast channel with values that are Send but not Sync can trigger
| unsoundness if the clone implementation makes use of the value being
| !Sync.

iegards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: rust-tokio
Source-Version: 1.43.1-1
Done: NoisyCoil <noisyc...@tutanota.com>

We believe that the bug you reported is fixed in the latest version of
rust-tokio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
NoisyCoil <noisyc...@tutanota.com> (supplier of updated rust-tokio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 23 Apr 2025 18:34:38 +0200
Source: rust-tokio
Architecture: source
Version: 1.43.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers 
<pkg-rust-maintain...@alioth-lists.debian.net>
Changed-By: NoisyCoil <noisyc...@tutanota.com>
Closes: 1103988
Changes:
 rust-tokio (1.43.1-1) unstable; urgency=medium
 .
   * Team upload.
   * Package tokio 1.43.1 from crates.io using debcargo 2.7.8
   * Fix RUSTSEC-2025-0023 (Closes: #1103988)
   * d/patches: refresh
Checksums-Sha1:
 7074cdfd6bd3d7fd65e107377c795957c8fc50e7 2785 rust-tokio_1.43.1-1.dsc
 4f121bb4b0fa4ccaede951bfde210e8a0d68524b 828219 rust-tokio_1.43.1.orig.tar.gz
 ea57803e5cdae347b4c7d099fd46424881271c49 9216 rust-tokio_1.43.1-1.debian.tar.xz
 329c781e7fef39446289039dee8b5a37cddb0032 8044 
rust-tokio_1.43.1-1_source.buildinfo
Checksums-Sha256:
 a57f9faea3d844a8e92a39b675964989207e2df0dfcf7723adaa1bd5bd02e3e3 2785 
rust-tokio_1.43.1-1.dsc
 492a604e2fd7f814268a378409e6c92b5525d747d10db9a229723f55a417958c 828219 
rust-tokio_1.43.1.orig.tar.gz
 5c8abb0e0ce3acbe2be194973eff5ff8a998c9fb9cc373a2e0d83df4ee847546 9216 
rust-tokio_1.43.1-1.debian.tar.xz
 9f4721d7d0cad2581a70b9a200a9ee14cf8fe6479c3d0313960e7b5ecee08f97 8044 
rust-tokio_1.43.1-1_source.buildinfo
Files:
 6dc936788e138e3d00a3485bd626ea5a 2785 rust optional rust-tokio_1.43.1-1.dsc
 dfdd43680c9581d273417b4429d0f2ab 828219 rust optional 
rust-tokio_1.43.1.orig.tar.gz
 7a0ef2770a515e9ccdfd06951e00914c 9216 rust optional 
rust-tokio_1.43.1-1.debian.tar.xz
 d76f894722d2901550a662139e26b07e 8044 rust optional 
rust-tokio_1.43.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJVBAEBCgA/FiEEbdkGe7ToK0Amc9ppdh5TKjcTRTAFAmgJFqYhHGRlYmlhbkBm
YWJpYW4uZ3J1ZW5iaWNobGVyLmVtYWlsAAoJEHYeUyo3E0UwVVYQAJnks5d/JUHw
OX7OGMvAzVKfTJUvSkAay+KrgKTyWOx8WzVLRx/AXCnJIXngLbxqs1ThADChONfn
KC9rW2AzafJYM2iOiyptBwu8nh+zjOIXViUElg/HwOzcirP9hOTo6oCBSycYudmv
fSIt8RpHUlKELBhOEpZGAxC52B60ro6xAuYbm3vVH4ZoyMdE0mViG2NAEwiULWE6
cUMbfaZFtwXi1sI0iAGXfPEwVzK/5KyvNCcMFE/achMmQfulkXJTmO5v8LCjl7+C
tYTXr0z12M25YA5aTnjhWJDUmVNQ/C+qUaqvj54gLhJHwWnpTX0N8OCARj7UB+ev
yCpQcN/hyhE9wTGAvt7UcOhnzn9R5ZYwvTMeoqOI8KERBtnFDQmWhTx4cETWlIJ8
4hppYZW1PEpCZv3tC1GkdyzjaB7JWUsL2iQp/caAoG7JS5dQi7aJ5nEN/nuVZUKu
Zw55/LCEWBWq31kcjRJBWS6QIDTPQPEbihH+3LoWfRrjCQXIIzlV8FsGCbAN/DPp
GNoa+zmBfqKQ9pT2n/tC4IYUutdpTrcX6KGzoz6rhb+megk78LaRSpUWpSAmfZNT
e+IoVKFCT7A5573rqEmCHuJ5JuJwnC0LLanxE2EkCZ3jKzXuO5CF+dZj/YxNf2vw
+KWJqRGcrsjfEPZawSI4rkucdwOOIdXP
=bx1s
-----END PGP SIGNATURE-----

pgp7kSIQ08eyw.pgp
Description: PGP signature

--- End Message ---