doc(changelog): mention CVE fixes

rust-lang · Sep 19, 2022 · ff2b671 · ff2b671
1 parent 73ba3f3
commit ff2b671
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,15 @@
 ## Cargo 1.64 (2022-09-22)
 [a5e08c47...rust-1.64.0](https://github.com/rust-lang/cargo/compare/a5e08c47...rust-1.64.0)
 
+### ⚠️ Fixes of security vulnerabilities
+
+- [CVE-2022-36113: Extracting malicious crates can corrupt arbitrary files](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j)
+- [CVE-2022-36114: Extracting malicious crates can fill the file system](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp)
+
+For more information, please read 
+["Security advisories for Cargo (CVE-2022-36113, CVE-2022-36114)"](https://blog.rust-lang.org/2022/09/14/cargo-cves.html)
+on the official Rust blog.
+
 ### Added
 
 - 🎉 Packages can now inherit settings from the workspace so that the settings
@@ -64,6 +73,15 @@
  [#10784](https://github.com/rust-lang/cargo/pull/10784)
 
 ### Fixed
+
+- [CVE-2022-36113](https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j):
+ Extracting malicious crates can corrupt arbitrary files.
+ [#11089](https://github.com/rust-lang/cargo/pull/11089)
+ [#11088](https://github.com/rust-lang/cargo/pull/11088)
+- [CVE-2022-36114](https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp):
+ Extracting malicious crates can fill the file system.
+ [#11089](https://github.com/rust-lang/cargo/pull/11089)
+ [#11088](https://github.com/rust-lang/cargo/pull/11088)
 - The `os` output in `cargo --version --verbose` now supports more platforms.
  [#10802](https://github.com/rust-lang/cargo/pull/10802)
 - Cached git checkouts will now be rebuilt if they are corrupted. This may