CVE-2022-24713 Regex is a crate with built-in mitigations to prevent DoS attacks caused by untrusted regexes or input matched by trusted regexes.

As soon as the fix lands in all Rust sub-releases, users can safely upgrade to the latest version of regex . We suggest to avoid using user-controlled, untrusted regexes until the issue is resolved. The latest version of the regex crate can be found on Cargo.lock with the following commit message: As soon as the fix lands in all Rust sub-releases, users can safely upgrade to the latest version of. We suggest to avoid using user-controlled, untrusted regexes until the issue is resolved. The latest version of thecrate can be found on Cargo.lock with the following commit message: This issue was discovered by Remi Coulom. Thank you Remi for reporting it! The fix is currently being considered for Rust 1.30, but we'll update this announcement when the 1.30-release train leaves the station. We recommend all users to update to the latest version as soon.

What to do if you're using a user-controlled, untrusted regex

In order to reduce the risk of unexpected behavior, we recommend all users to update to the latest version of the regex crate.
As soon as the fix lands in all Rust sub-releases, users can safely upgrade to the latest version of the regex crate.
As soon as the fix lands in all Rust sub-releases, users can safely upgrade to the latest version of.

Upgrade to latest version using nightly build

If you're on a nightly build, use the following command to compile your own version of regex :
rustup component add rust-lang-ci/rust-std-libs/rust-regex rustup component add rust-lang/nightly

What to do if you are using a user-controlled, untrusted regex

If you are using a user-controlled, untrusted regex and upgraded to the latest version of regex , you can safely use it again.

Not yet published

This issue was discovered by Remi Coulom. Thank you Remi for reporting it! The fix is currently being considered for Rust 1.30, but we'll update this announcement when the 1.30-release train leaves the station. We recommend all users to update to the latest version as soon.

Timeline

Published on: 03/08/2022 19:15:00 UTC
Last modified on: 08/10/2022 20:15:00 UTC

References

• https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
• https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
• https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/
• https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html
• https://www.debian.org/security/2022/dsa-5113
• https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html
• https://www.debian.org/security/2022/dsa-5118
• https://security.gentoo.org/glsa/202208-14
• https://security.gentoo.org/glsa/202208-08
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24713