Update crate tracing-subscriber 0.3.19 -> 0.3.20 (fix RUSTSEC-2025-0055) #1114
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Summary: ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Differential Revision: D81802144
meta-cla
bot
added
the
CLA Signed
|
This pull request was exported from Phabricator. Differential Revision: D81802144 |
facebook-github-bot
pushed a commit
to facebookexperimental/reverie
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebookexperimental/rust-shed
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebook/pyrefly
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebookincubator/reindeer
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebook/sapling
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebookincubator/scrut
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebookexperimental/hermit
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
|
This pull request has been merged in d655d59. |
facebook-github-bot
pushed a commit
to facebook/hhvm
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary:
Differential Revision: D81802144