Your message dated Tue, 22 Apr 2025 17:05:55 +0000
with message-id <e1u7h4f-008lbt...@fasolo.debian.org>
and subject line Bug#1103628: fixed in rust-gix-features 0.39.1-2
has caused the Debian Bug report #1103628,
regarding rust-gix-features: CVE-2025-31130 / RUSTSEC-2025-0021
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103628
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rust-gix-features
Version: 0.39.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for rust-gix-features.
CVE-2025-31130[0]:
| gitoxide is an implementation of git written in Rust. Before 0.42.0,
| gitoxide uses SHA-1 hash implementations without any collision
| detection, leaving it vulnerable to hash collision attacks. gitoxide
| uses the sha1_smol or sha1 crate, both of which implement standard
| SHA-1 without any mitigations for collision attacks. This means that
| two distinct Git objects with colliding SHA-1 hashes would break the
| Git object model and integrity checks when used with gitoxide. This
| vulnerability is fixed in 0.42.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-31130
https://www.cve.org/CVERecord?id=CVE-2025-31130
[1] https://rustsec.org/advisories/RUSTSEC-2025-0021.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-gix-features
Source-Version: 0.39.1-2
Done: Fabian Grünbichler <debian@fabian.gruenbichler.email>
We believe that the bug you reported is fixed in the latest version of
rust-gix-features, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Grünbichler <debian@fabian.gruenbichler.email> (supplier of updated
rust-gix-features package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Apr 2025 18:47:48 +0200
Source: rust-gix-features
Architecture: source
Version: 0.39.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<pkg-rust-maintain...@alioth-lists.debian.net>
Changed-By: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Closes: 1103628
Changes:
rust-gix-features (0.39.1-2) unstable; urgency=medium
.
* Team upload.
* Package gix-features 0.39.1 from crates.io using debcargo 2.7.8
* Backport fix for CVE-2025-31130 (Closes: #1103628)
Checksums-Sha1:
063d176929e0150ad24f05b1b9e69ed78a908f15 2567 rust-gix-features_0.39.1-2.dsc
4b5fbbc22dd47759a731b35241acc5331e6db9aa 9880
rust-gix-features_0.39.1-2.debian.tar.xz
a2425bcd6d6070aca907ff58ea232ebca6874494 8072
rust-gix-features_0.39.1-2_source.buildinfo
Checksums-Sha256:
63d0d27ed309d9e04bc20f039f2683ae4a8c80414e1823009cd7fd070835cb7b 2567
rust-gix-features_0.39.1-2.dsc
61fa25b7033ccb4c1d173e1863d57761e1697547dc29a9f4853b56066e6d52ee 9880
rust-gix-features_0.39.1-2.debian.tar.xz
665cb3ee6920d5f8bc89f001fa0ad570afae07c2430955292bfd9d861806cdf5 8072
rust-gix-features_0.39.1-2_source.buildinfo
Files:
72fcc8f05381da67f2dcc42bca9a83c4 2567 rust optional
rust-gix-features_0.39.1-2.dsc
16341b3eecc43877de57aecf10e2ab89 9880 rust optional
rust-gix-features_0.39.1-2.debian.tar.xz
cef9e6e70325c3a870daeff2e3d3fddc 8072 rust optional
rust-gix-features_0.39.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJVBAEBCgA/FiEEbdkGe7ToK0Amc9ppdh5TKjcTRTAFAmgHyDghHGRlYmlhbkBm
YWJpYW4uZ3J1ZW5iaWNobGVyLmVtYWlsAAoJEHYeUyo3E0UwLa8QAIVa+Ta2L61E
JgrILhkkbKEWyECaES/ckpUZN/xBnfRjZsKWdVgZQZhbWHLDmIb/0N1gXTCKrFxQ
S3GJIgL5BRGT+Yk+NblXvQp6n4/zm7875BkXSXedIDEs/9RIfplo+MhCaLnUP7bM
cB6ReGZVPYJ4otqTiIkEHtYsrwaMD83WcWpYh+MFuMw3q2+AUOusi6lbb7JUt7sX
IOPS5TD+Qj/d3gFGJ1hdbAcIBDLqTeYz3zRoPc5os+pnxuOZPzXl1HayqUDS4I5S
i8vUyxfiHQUNU2FM1APmTB2VX4LBaktlDySHawh+3c0szV1bzDKKWjfp78HAzgQj
XVIW/xZbrK2IYxlwsiLIQMyluj6K6Pd7R6aU5EELIn7tUo/VRjK+CFqq2FsTbyaP
piOjYDQVG/ykdlIHOB71xfKCzkHWMOWYN6vq06qlMClOA//a0wJyiEZF2b3mDI/u
Ee0EXrErOtm7EapZFL/6sd1B+BZamXbLz8poeqdXJKkrUyLmuJt17Xq+LxdN2M/m
eVHw/Fnb3MWvg9tam3ehSfc8DyGc5OhexWx7+JmkoZk4orebqNHh11qXtZ8/vqJM
n5ukd8hXqJ3uRt7zlWOc44zBzfnrsEuS9Lc8d2iJoRj+iFTqOay9s8QTkl3xXzBr
SqMKcO3BHOEw+R7maPPQ+ruJOtJl89v8
=zvQq
-----END PGP SIGNATURE-----
pgpEs6ZnWxjg4.pgp
Description: PGP signature
--- End Message ---
