Skip to content

Commit

Permalink
Upgrade version of gix-transport to fix security vulnerability
Browse files Browse the repository at this point in the history 
Summary:
When trying to vendor-in a new crate, I saw the following text about a vulnerability regarding the version of `gix-transport` that we use:
```
VULNERABILITY RUSTSEC-2023-0064 - 2023-09-23: gix-transport code execution vulnerability
Package: gix-transport 0.34.2
The `gix-transport` crate prior to the patched version 0.36.1 would allow attackers to
use malicious ssh clone URLs to pass arbitrary arguments to the `ssh` program, leading
to arbitrary code execution.
PoC: `gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'`
This will launch a calculator on OSX.
```

This diff tries to update the version so we don't have to deal with this vulnerability

Reviewed By: liubov-dmitrieva

Differential Revision: D53223416

fbshipit-source-id: d1a11eea9d6f22d1fdfe53aa6d3c37fd8b4e6d3c
  • Loading branch information
@RajivTS @facebook-github-bot
RajivTS authored and facebook-github-bot committed Jan 30, 2024
1 parent 66cf0b3 commit 00ce09a
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 00ce09a

Please sign in to comment.