Auto merge of #12550 - weihanglo:CVE-2023-40030, r=epage

changelog: add link to CVE-2023-40030 * add link to CVE-2023-40030 for 1.72 * add 🚨 emoji for all CVE entries [Rendered](https://github.com/rust-lang/cargo/blob/4b51b27d0a2d9d0ff50e286e08747ba53cc7fb45/CHANGELOG.md)
rust-lang · Aug 24, 2023 · 8c08800 · 8c08800
2 parents 3581425 + 4b51b27
commit 8c08800
Showing 1 changed file with 9 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -191,10 +191,11 @@
 
 ### Changed
 
-- ❗ Turned feature name validation check to a hard error. The warning was
-  added in Rust 1.49. These extended characters aren't allowed on crates.io, so
-  this should only impact users of other registries, or people who don't publish
-  to a registry.
+- 🚨 [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p):
+  Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports.
+  To mitigate this, feature name validation check is now turned into a hard error.
+  The warning was added in Rust 1.49. These extended characters aren't allowed on crates.io,
+  so this should only impact users of other registries, or people who don't publish to a registry.
   [#12291](https://github.com/rust-lang/cargo/pull/12291)
 - Cargo now warns when an edition 2021 package is in a virtual workspace and
   `workspace.resolver` is not set. It is recommended to set the resolver
@@ -325,7 +326,7 @@
 
 ### Fixed
 
-- [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87):
+- 🚨 [CVE-2023-38497](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87):
   Cargo 1.71.1 or later respects umask when extracting crate archives. It also
   purges the caches it tries to access if they were generated by older Cargo versions.
 
@@ -1004,7 +1005,7 @@
 ## Cargo 1.66.1 (2023-01-10)
 
 ### Fixed
-- [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j):
+- 🚨 [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j):
   Added validation of SSH host keys for git URLs.
   See [the docs](https://doc.rust-lang.org/cargo/appendix/git-authentication.html#ssh-known-hosts) for more information on how to configure the known host keys.
 
@@ -1230,11 +1231,11 @@
 
 ### Fixed
 
-- [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j):
+- 🚨 [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j):
   Extracting malicious crates can corrupt arbitrary files.
   [#11089](https://github.com/rust-lang/cargo/pull/11089)
   [#11088](https://github.com/rust-lang/cargo/pull/11088)
-- [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp):
+- 🚨 [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp):
   Extracting malicious crates can fill the file system.
   [#11089](https://github.com/rust-lang/cargo/pull/11089)
   [#11088](https://github.com/rust-lang/cargo/pull/11088)