Rust security update -- which selection to take

tckosvic · July 6, 2023, 3:00pm

Installed rust language components as a learning experience. Zypper has a security update patch for rust that to me, has a confusing list of options. See below:

tom@mydesktop:~> sudo zypper patch
[sudo] password for root: 
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: the to be installed rustup-1.26.0~0-150400.3.7.1.x86_64 conflicts with 'rust+rustc' provided by the installed rust1.70-1.70.0-150400.9.3.1.x86_64
 Solution 1: Following actions will be done:
  deinstallation of rust1.70-1.70.0-150400.9.3.1.x86_64
  deinstallation of cargo1.70-1.70.0-150400.9.3.1.x86_64
  deinstallation of cargo-1.70.0-150400.24.18.1.x86_64
  deinstallation of cargo-auditable-0.5.2~0-150300.7.3.1.x86_64
  deinstallation of cargo-packaging-1.2.0+0-150400.3.3.1.x86_64
  deinstallation of rust-1.70.0-150400.24.18.1.x86_64
 Solution 2: deinstallation of rustup-1.24.3~git1.0a74fef5-150400.3.4.1.x86_64
 Solution 3: do not install patch:openSUSE-SLE-15.5-2023-2603-1.noarch

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): c
tom@mydesktop:~>

I am not sure what these messages are trying to say and what path to take. Not a major issue but would like to hear an opinion.

thanks, tom kosvic

hcvv · July 6, 2023, 4:18pm

From the OSS repo?

Bit confused. I have 15.4 and the version of rustup is now

rustup-1.26.0~0-150400.3.7.1

And that is the one it wants to install (allthouh you say you have openSUSE 15.5). But you have

1.70-1.70.0-150400.9.3.1

Thus my question where you got it from.

Sauerland · July 6, 2023, 4:35pm

LANG=C zypper info -t patch openSUSE-SLE-15.4-2023-2603
Loading repository data...
Reading installed packages...


Information for patch openSUSE-SLE-15.4-2023-2603:
--------------------------------------------------
Repository  : Update repository with updates from SUSE Linux Enterprise 15
Name        : openSUSE-SLE-15.4-2023-2603
Version     : 1
Arch        : noarch
Vendor      : maint-coord@suse.de
Status      : not needed
Category    : security
Severity    : moderate
Created On  : Thu Jun 22 09:48:26 2023
Interactive : ---
Summary     : Security update for rustup
Description : 
    This update for rustup fixes the following issues:

    - CVE-2022-31394: Fixed possible HTTP2 attacks by specifying the HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE (bsc#1208552).
    - CVE-2023-26964: Fixed high memory and CPU usage when stream stacking occurs when H2 processes HTTP2 RST_STREAM frames (bsc#1210345).
Provides    : patch:openSUSE-SLE-15.4-2023-2603 = 1
Conflicts   : [4]
    srcpackage:rustup < 1.26.0~0-150400.3.7.1
    rustup.noarch < 1.26.0~0-150400.3.7.1
    rustup.x86_64 < 1.26.0~0-150400.3.7.1
    rustup.aarch64 < 1.26.0~0-150400.3.7.1

LANG=C zypper se -si rust cargo
Loading repository data...
Reading installed packages...

S  | Name      | Type    | Version                           | Arch   | Repository
---+-----------+---------+-----------------------------------+--------+-------------------------------------------------------------
i  | cargo     | package | 1.70.0-150400.24.18.1             | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i  | cargo1.70 | package | 1.70.0-150400.9.3.1               | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i  | rust      | package | 1.70.0-150400.24.18.1             | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i+ | rust1.70  | package | 1.70.0-150400.9.3.1               | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i+ | rustup    | package | 1.24.3~git1.0a74fef5-150400.3.4.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15

LANG=C zypper patch
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: the to be installed rustup-1.26.0~0-150400.3.7.1.x86_64 conflicts with 'rust+rustc' provided by the installed rust1.70-1.70.0-150400.9.3.1.x86_64
 Solution 1: Following actions will be done:
  deinstallation of rust1.70-1.70.0-150400.9.3.1.x86_64
  deinstallation of cargo1.70-1.70.0-150400.9.3.1.x86_64
  deinstallation of cargo-1.70.0-150400.24.18.1.x86_64
  deinstallation of rust-1.70.0-150400.24.18.1.x86_64
 Solution 2: deinstallation of rustup-1.24.3~git1.0a74fef5-150400.3.4.1.x86_64
 Solution 3: do not install patch:openSUSE-SLE-15.4-2023-2603-1.noarch

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 
Resolving dependencies...
Resolving package dependencies...

The following NEW patch is going to be installed:
  openSUSE-SLE-15.4-2023-2603

The following package is going to be REMOVED:
  rustup

1 package to remove.
After the operation, 8.0 MiB will be freed.
Continue? [y/n/v/...? shows all options] (y): 

Checking for file conflicts: ...............................................................................................................................................................................[done]
(1/1) Removing rustup-1.24.3~git1.0a74fef5-150400.3.4.1.x86_64 .............................................................................................................................................[done]
There are running programs which still use files and libraries deleted or updated by recent upgrades. They should be restarted to benefit from the latest updates. Run 'zypper ps -s' to list these programs.
 
Since the last system boot core libraries or services have been updated.
Reboot is suggested to ensure that your system benefits from these updates.

Solution 2

And now no rustup

LANG=C zypper se -si rust cargo
Loading repository data...
Reading installed packages...

S  | Name      | Type    | Version               | Arch   | Repository
---+-----------+---------+-----------------------+--------+-------------------------------------------------------------
i  | cargo     | package | 1.70.0-150400.24.18.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i  | cargo1.70 | package | 1.70.0-150400.9.3.1   | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i  | rust      | package | 1.70.0-150400.24.18.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i+ | rust1.70  | package | 1.70.0-150400.9.3.1   | x86_64 | Update repository with updates from SUSE Linux Enterprise 15

Installing it:

LANG=C zypper in rustup
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: the to be installed rustup-1.26.0~0-150400.3.7.1.x86_64 conflicts with 'rust+rustc' provided by the installed rust1.70-1.70.0-150400.9.3.1.x86_64
 Solution 1: Following actions will be done:
  deinstallation of rust1.70-1.70.0-150400.9.3.1.x86_64
  deinstallation of cargo1.70-1.70.0-150400.9.3.1.x86_64
  deinstallation of cargo-1.70.0-150400.24.18.1.x86_64
  deinstallation of rust-1.70.0-150400.24.18.1.x86_64
 Solution 2: do not install rustup-1.26.0~0-150400.3.7.1.x86_64

Choose from above solutions by number or cancel [1/2/c/d/?] (c):

Bugreport?

hcvv · July 6, 2023, 4:39pm

Sorry, but I do not understand. The OP says he is using openSUSE 15.5, but I see 15.4 (or 1504) all over the place.

Sauerland · July 6, 2023, 4:44pm

Oops I was on 15.4…

Sauerland · July 6, 2023, 4:49pm

But the same on 15.5:

LANG=C zypper se -si cargo rust
Loading repository data...
Reading installed packages...

S  | Name      | Type    | Version                           | Arch   | Repository
---+-----------+---------+-----------------------------------+--------+-------------------------------------------------------------
i+ | cargo     | package | 1.70.0-150400.24.18.1             | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i  | cargo1.70 | package | 1.70.0-150400.9.3.1               | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i+ | rust      | package | 1.70.0-150400.24.18.1             | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i  | rust1.70  | package | 1.70.0-150400.9.3.1               | x86_64 | Update repository with updates from SUSE Linux Enterprise 15
i+ | rustup    | package | 1.24.3~git1.0a74fef5-150400.3.4.1 | x86_64 | Main Repository

LANG=C zypper patch
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: the to be installed rustup-1.26.0~0-150400.3.7.1.x86_64 conflicts with 'rust+rustc' provided by the installed rust1.70-1.70.0-150400.9.3.1.x86_64
 Solution 1: Following actions will be done:
  deinstallation of rust1.70-1.70.0-150400.9.3.1.x86_64
  deinstallation of cargo1.70-1.70.0-150400.9.3.1.x86_64
  deinstallation of cargo-1.70.0-150400.24.18.1.x86_64
  deinstallation of rust-1.70.0-150400.24.18.1.x86_64
 Solution 2: deinstallation of rustup-1.24.3~git1.0a74fef5-150400.3.4.1.x86_64
 Solution 3: do not install patch:openSUSE-SLE-15.5-2023-2603-1.noarch

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c):

Sauerland · July 6, 2023, 4:52pm

Can you use rustup only withouth the openSUSE rust packages?

arvidjaar · July 6, 2023, 5:03pm

Yes. Any conflict on Leap using standard repositories only means a bug.

Sauerland · July 6, 2023, 5:25pm

Bugreport here, maybe we have to wait:
https://bugzilla.suse.com/show_bug.cgi?id=1213091

tckosvic · July 7, 2023, 2:25pm

Thanks for the input. Wait is my solution!

Sauerland · July 10, 2023, 7:29am

As you can read in the bugreport, it is intended to use rustup or the rust package of your Distribution.

If you want to use rustup try Solution 1.

If you want to use the rust packages of your Distribution use Solution 2.

https://bugzilla.suse.com/show_bug.cgi?id=1213091#c3