Summary
The rand 0.8.6 transitive vulnerability tracked in #144 also applies to the v4
workspace. Rustls-webpki on v4 is already at 0.103.13 (patched), so this issue
covers the rand portion only.
rand 0.8.6 (transitive)
CVE: Unsoundness with custom logger using rand::rng() (affects 0.9.x /
0.10.x series; 0.8.x is a separate semver series).
Status in v4 (v4/Cargo.lock):
rand 0.9.4 — present (no action needed)rand 0.8.6 — present transitively, blocked on upstream
Root cause: Several upstream crates still depend on rand 0.8:
| Crate |
Version |
Status |
age |
0.11.2 |
No 0.12 release yet upgrading to rand 0.9+ |
tera |
1.20.1 |
Latest 1.x still uses rand 0.8 |
phf_generator |
0.11.3 |
Latest 0.11 still uses rand 0.8 |
Workaround: None at project level. Monitor upstream for new major versions.
Action needed
Related
Summary
The
rand 0.8.6transitive vulnerability tracked in #144 also applies to the v4workspace. Rustls-webpki on v4 is already at 0.103.13 (patched), so this issue
covers the rand portion only.
rand 0.8.6 (transitive)
CVE: Unsoundness with custom logger using
rand::rng()(affects 0.9.x /0.10.x series; 0.8.x is a separate semver series).
Status in v4 (
v4/Cargo.lock):rand 0.9.4— present (no action needed)rand 0.8.6— present transitively, blocked on upstreamRoot cause: Several upstream crates still depend on
rand 0.8:ageteraphf_generatorWorkaround: None at project level. Monitor upstream for new major versions.
Action needed
age,tera, and/orphfrelease versions usingrand 0.9+Related