CVE-2019-16760 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-16760 Interim 1 15 2025-05-17T02:31:55Z current 2021-05-30T14:31:57Z 2025-05-17T02:31:55Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-16760 Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Development Tools 15 SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15 SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15 SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15 SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15 SP1 SUSE Linux Enterprise Module for Development Tools 15 SP1 SUSE Linux Enterprise Module for Development Tools 15 SP1 SUSE Linux Enterprise Module for Development Tools 15 SP1 cargo clippy rls rust rust-analysis rust-gdb rust-src rust-std rust-std-static rustfmt cargo as a component of SUSE Linux Enterprise Module for Development Tools 15 clippy as a component of SUSE Linux Enterprise Module for Development Tools 15 rls as a component of SUSE Linux Enterprise Module for Development Tools 15 rust as a component of SUSE Linux Enterprise Module for Development Tools 15 rust-analysis as a component of SUSE Linux Enterprise Module for Development Tools 15 rust-gdb as a component of SUSE Linux Enterprise Module for Development Tools 15 rust-src as a component of SUSE Linux Enterprise Module for Development Tools 15 rust-std as a component of SUSE Linux Enterprise Module for Development Tools 15 rust-std-static as a component of SUSE Linux Enterprise Module for Development Tools 15 rustfmt as a component of SUSE Linux Enterprise Module for Development Tools 15 cargo as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 clippy as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 rls as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 rust as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 rust-analysis as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 rust-src as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 rust-std-static as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 rustfmt as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue. CVE-2019-16760 SUSE Linux Enterprise Module for Development Tools 15 SP1:cargo SUSE Linux Enterprise Module for Development Tools 15 SP1:clippy SUSE Linux Enterprise Module for Development Tools 15 SP1:rls SUSE Linux Enterprise Module for Development Tools 15 SP1:rust SUSE Linux Enterprise Module for Development Tools 15 SP1:rust-analysis SUSE Linux Enterprise Module for Development Tools 15 SP1:rust-src SUSE Linux Enterprise Module for Development Tools 15 SP1:rust-std-static SUSE Linux Enterprise Module for Development Tools 15 SP1:rustfmt SUSE Linux Enterprise Module for Development Tools 15:cargo SUSE Linux Enterprise Module for Development Tools 15:clippy SUSE Linux Enterprise Module for Development Tools 15:rls SUSE Linux Enterprise Module for Development Tools 15:rust SUSE Linux Enterprise Module for Development Tools 15:rust-analysis SUSE Linux Enterprise Module for Development Tools 15:rust-gdb SUSE Linux Enterprise Module for Development Tools 15:rust-src SUSE Linux Enterprise Module for Development Tools 15:rust-std SUSE Linux Enterprise Module for Development Tools 15:rust-std-static SUSE Linux Enterprise Module for Development Tools 15:rustfmt moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N