惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
博客园 - 叶小钗
AI
AI
T
Tor Project blog
Forbes - Security
Forbes - Security
W
WeLiveSecurity
博客园_首页
爱范儿
爱范儿
J
Java Code Geeks
B
Blog
G
GRAHAM CLULEY
aimingoo的专栏
aimingoo的专栏
Cloudbric
Cloudbric
C
CXSECURITY Database RSS Feed - CXSecurity.com
TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
有赞技术团队
有赞技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
Google DeepMind News
Google DeepMind News
H
Help Net Security
博客园 - 三生石上(FineUI控件)
C
Cisco Blogs
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 司徒正美
The Last Watchdog
The Last Watchdog
Blog — PlanetScale
Blog — PlanetScale
T
The Blog of Author Tim Ferriss
S
Secure Thoughts
Spread Privacy
Spread Privacy
F
Fortinet All Blogs
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
A
About on SuperTechFans
Security Latest
Security Latest
Webroot Blog
Webroot Blog
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog

Rust Blog

Security Advisory for Cargo (CVE-2026-5223) | Rust Blog Security Advisory for Cargo (CVE-2026-5222) | Rust Blog Project goals update — April 2026 (end of 2025H2) | Rust Blog Rust is participating in Outreachy | Rust Blog Raising the baseline for the `nvptx64-nvidia-cuda` target | Rust Blog Announcing Google Summer of Code 2026 selected projects | Rust Blog Announcing Rust 1.95.0 | Rust Blog docs.rs: building fewer targets by default | Rust Blog Changes to WebAssembly targets and handling undefined symbols | Rust Blog Announcing Rust 1.94.1 | Rust Blog Security advisory for Cargo | Rust Blog What we heard about Rust's challenges | Rust Blog Call for Testing: Build Dir Layout v2 | Rust Blog Announcing rustup 1.29.0 | Rust Blog Announcing Rust 1.94.0 | Rust Blog 2025 State of Rust Survey Results | Rust Blog Rust debugging survey 2026 | Rust Blog Update on the October 15, 2018 incident on crates.io Announcing Rust 1.29.2 Announcing Rust 1.29 Announcing Rust 1.28 What is Rust 2018? Announcing Rust 1.27.2 Announcing Rust 1.27.1 Security Advisory for rustdoc Announcing Rust 1.27 Announcing Rust 1.26.2 Announcing Rust 1.26.1 Rust turns three Announcing Rust 1.26 The Rust Team All Hands in Berlin: a Recap Increasing Rust’s Reach 2018 Announcing Rust 1.25 Rust's 2018 roadmap Announcing Rust 1.24.1 Announcing Rust 1.24 The 2018 Rust Event Lineup Announcing Rust 1.23 New Year's Rust: A Call for Community Blogposts Rust in 2017: what we achieved Announcing Rust 1.22 (and 1.22.1) Fearless Concurrency in Firefox Quantum Announcing Rust 1.21 impl Future for Rust Rust 2017 Survey Results Announcing Rust 1.20 Announcing Rust 1.19 The 2017 Rust Conference Lineup Rust's 2017 roadmap, six months in Increasing Rust’s Reach Announcing Rust 1.18 Two years of Rust The Rust Libz Blitz Launching the 2017 State of Rust Survey Announcing Rust 1.17 Announcing Rust 1.16 Rust's language ergonomics initiative Announcing Rust 1.15.1 Rust's 2017 roadmap Announcing Rust 1.15 Announcing Rust 1.14 Announcing the First Underhanded Rust Contest Announcing Rust 1.13 Announcing Rust 1.12.1 Announcing Rust 1.12 Incremental Compilation Announcing Rust 1.11 Shape of errors to come The 2016 Rust Conference Lineup Announcing Rust 1.10 State of Rust Survey 2016 Announcing Rust 1.9 One year of Rust Taking Rust everywhere with rustup Launching the 2016 State of Rust Survey Cargo: predictable dependency management Introducing MIR Announcing Rust 1.8 Announcing Rust 1.7 Announcing Rust 1.6 Announcing Rust 1.5 Announcing Rust 1.4 Announcing Rust 1.3 Rust in 2016 Announcing Rust 1.2 Rust 1.1 stable, the Community Subteam, and RustCamp Announcing Rust 1.0 Abstraction without overhead: traits in Rust Rust Once, Run Everywhere Mixing matching, mutation, and moves in Rust Fearless Concurrency with Rust Announcing Rust 1.0 Beta Announcing Rust 1.0.0.alpha.2 Rust 1.0: status report and final timeline Announcing Rust 1.0 Alpha Rust 1.0: Scheduling the trains Yehuda Katz and Steve Klabnik are joining the Rust Core Team Cargo: Rust's community crate host Stability as a Deliverable Road to Rust 1.0
Keeping Rust projects secure with cargo-audit 0.18: performance, compatibility and security improvements | Inside Rust Blog
Sergey "Shnatsel" Davidoff on behalf of the Secure Code WG · 2023-09-04 · via Rust Blog

cargo audit checks your project's dependencies for known security vulnerabilities.

By default cargo audit checks on your Cargo.lock file, but it can also scan compiled binaries. You can install cargo-audit and run it against your project with the following commands:

$ cargo install cargo-audit
$ cargo audit

Both cargo audit and the RustSec advisory database that powers it are maintained by the Rust Secure Code working group.

What's new in this release

Performance

cargo audit now uses the sparse crates.io index when checking for yanked crates. This dramatically speeds up the scanning process because cargo audit no longer needs to download the entire crates.io index, which could take up to several minutes.

Sparse index is used by default if you are running Rust 1.70 or later, same as in Cargo itself. cargo audit honors the Cargo settings for the use of sparse index, should you need to opt out for any reason.

Security

cargo audit previously relied on OpenSSL on all platforms. In this release we have switched to rustls - a high-quality, memory-safe TLS implementation in Rust.

In contrast to OpenSSL's history of high-severity vulnerabilities, rustls has a stellar track record and eliminates entire classes vulnerabilities by construction. It has passed an independent audit with flying colors; the auditors even noted that they "had the rare pleasure of being impressed with the exceptional quality of the presented software".

Since TLS constitutes the vast majority of the attack surface of cargo audit, we are very excited to use a more secure TLS implementation!

Compatibility

A number of long-standing issues are resolved thanks to switching from libgit2 to gitoxide as our git implementation:

  1. cargo audit can now run in Alpine Linux containers.
  2. Several instances of cargo audit running in parallel can now fetch Git repositories without issue.
  3. Accessing Git repositories over SSH is now supported.
  4. Credential helpers to access private repositories are now supported.

Known issues

Limited CPU architecture support

CPU architectures other than x86 and ARM are not supported by this release. This is due to ring, the cryptographic library used by rustls, not supporting other CPU architectures yet.

rustls is in the process of adding support for other cryptographic libraries. We will consider adding support for another TLS implementation if no portable cryptographic library for rustls materializes in the near future.

In the meantime we recommend using the previous release on uncommon CPU architectures. You may also consider other tools that read Cargo.lock files and the RustSec advisory database, such as Trivy, osv-scanner or Dependabot.

cargo audit fix is not converted

The experimental subcommand cargo audit fix to automatically upgrade vulnerable dependencies has existed for a while but has been disabled by default. It has not been converted to use gitoxide and rustls in this release, and has not benefited from any of these improvements.

We will likely rewrite this feature from the ground up before enabling it by default in subsequent releases.

Reporting issues

Due to the sweeping changes to the libraries cargo audit relies on for git protocol and networking there are bound to be subtle differences in behavior compared to previous versions.

If you encounter issues with this latest release, please report it to us on Github. Thank you!

Acknowledgements

Thanks to Jake Shadle who did most of the work in this release, as well as for creating the tame-index crate that enabled sparse registry support in cargo audit.

Thanks to Sebastian Thiel for creating gitoxide and improving it to accommodate the cargo audit requirements, as well as helping review the changes.