[CLSA-2026:1783610973] Fix CVE(s): CVE-2026-33056
Type:
security
Severity:
Moderate
Release date:
2026-07-09 20:18:24 UTC
Description:
* SECURITY UPDATE: symlink-directory collision chmod attack in vendored tar crate - debian/patches/CVE-2026-33056.patch: use fs::symlink_metadata() instead of fs::metadata() in unpack_dir so a pre-existing symlink is not treated as a valid existing directory, preventing permission changes on directories outside the extraction path - CVE-2026-33056
CVEs fixed:
Updated packages:
  • cargo1.86_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_amd64.deb
    sha:8f0e8e9a66e9778f4bdb44313f22543b671f8f5f
  • cargo1.86-doc_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:0aa3ca3d29c60c43bd937b314c80677143deb61c
  • libstd-rust1.86-1.86_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_amd64.deb
    sha:3af696a011cf5a5d7ab013f86c962bfe40f39fae
  • libstd-rust1.86-dev_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_amd64.deb
    sha:63c06f1dacf7592c56832dd14380957557eb848e
  • rust1.86-all_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:4760341251d4e03559c8d006a5b0b4fd1a0ed5c1
  • rust1.86-analyzer_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_amd64.deb
    sha:d60670f18dca616b2a851efd314afa3e409344ad
  • rust1.86-clippy_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_amd64.deb
    sha:feced662d87c719c388cfc2b0b8fcde32ea759be
  • rust1.86-doc_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:abd8277b8f2feeb4f9ac42d3ecda5cb0f3c4e81c
  • rust1.86-gdb_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:5e6e3b7e086ae621b73151cf07004ac0b83a9cf3
  • rust1.86-lldb_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:a0d849cc8553865523844667bd8017e65ae612f3
  • rust1.86-llvm_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_amd64.deb
    sha:e505e2cd66364959ee4a1c60028dd14a1d979319
  • rust1.86-src_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:3196e7ba1e2198b31834c5518382d5a9dbef32d9
  • rustc1.86_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_amd64.deb
    sha:3f43e5ad329fc7d54a070611c1e2ce2bfe5cc932
  • rustfmt1.86_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_amd64.deb
    sha:3beff525526fd3ab5f508e27dd63d3331e3a23b0
  • cargo1.86_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_arm64.deb
    sha:bb884618cdd3eba49dc898ddb72d508f37bab1b4
  • cargo1.86-doc_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:28673191460e125a7be13773f4705b105c707f0a
  • libstd-rust1.86-1.86_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_arm64.deb
    sha:dbccf996c99798a95f4b934b7a704ffe08bbd320
  • libstd-rust1.86-dev_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_arm64.deb
    sha:3768e33f6b6ec69c2dfcf6ad2741b80bd5ffc9c1
  • rust1.86-all_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:4760341251d4e03559c8d006a5b0b4fd1a0ed5c1
  • rust1.86-analyzer_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_arm64.deb
    sha:2b0f315376c1cfc6f5e58ed216b08d0f6ca247f7
  • rust1.86-clippy_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_arm64.deb
    sha:1c662555f2b21ba7f86ba3b255a59f9e0d0408e3
  • rust1.86-doc_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:7d4f43d3b4704618e248332fbdecdeb8a205e502
  • rust1.86-gdb_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:5e6e3b7e086ae621b73151cf07004ac0b83a9cf3
  • rust1.86-lldb_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:a0d849cc8553865523844667bd8017e65ae612f3
  • rust1.86-llvm_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_arm64.deb
    sha:5bb14a1fef2869f43de86589f29ecd3cbbd668f9
  • rust1.86-src_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_all.deb
    sha:3196e7ba1e2198b31834c5518382d5a9dbef32d9
  • rustc1.86_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_arm64.deb
    sha:6e61b78de62ffb730bce333e94cf1872754b0337
  • rustfmt1.86_1.86.0+dfsg1-1~bpo13+2+tuxcare.els5_arm64.deb
    sha:1ac9d54e67e11e5b522b5064691ffeadcbcc3f65
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.