Skip to content

chore(deps): update rust crate rand to v0.9.5 [security]#1007

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/crate-rand-vulnerability
Jul 11, 2026
Merged

chore(deps): update rust crate rand to v0.9.5 [security]#1007
renovate[bot] merged 1 commit into
mainfrom
renovate/crate-rand-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
rand (source) workspace.dependencies patch 0.9.40.9.5

Rand is unsound with a custom logger using rand::rng()

GHSA-cq8v-f236-94qc

More information

Details

It has been reported (by @​lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

  • The log and thread_rng features are enabled
  • A custom logger is defined
  • The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
  • The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
  • Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

Severity

Low

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

rust-random/rand (rand)

v0.9.5

Compare Source

What's Changed

Full Changelog: rust-random/rand@0.9.4...0.9.5


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 11 times, most recently from 9186a7b to 28e1840 Compare April 23, 2026 20:08
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 2 times, most recently from cb55eae to 1cf9d58 Compare April 27, 2026 10:45
@renovate renovate Bot changed the title chore(deps): update rust crate rand to 0.10.0 [security] chore(deps): update rust crate rand to 0.10.0 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/crate-rand-vulnerability branch April 27, 2026 17:30
@renovate renovate Bot changed the title chore(deps): update rust crate rand to 0.10.0 [security] - autoclosed chore(deps): update rust crate rand to 0.10.0 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 3 times, most recently from be464b1 to a14379c Compare April 30, 2026 06:01
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 3 times, most recently from bb44127 to 12ccb87 Compare May 11, 2026 04:50
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 6 times, most recently from 62dd854 to 1a6fc74 Compare June 9, 2026 18:03
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 3 times, most recently from 6a7b782 to 5ab0b7e Compare June 15, 2026 06:03
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 3 times, most recently from 020b4be to c9d8292 Compare June 22, 2026 11:37
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 2 times, most recently from de08381 to c6c1209 Compare June 29, 2026 06:52
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch 2 times, most recently from 8ea4628 to 999aedd Compare July 8, 2026 12:46
@renovate renovate Bot force-pushed the renovate/crate-rand-vulnerability branch from 999aedd to 55a9125 Compare July 11, 2026 12:30
@renovate renovate Bot enabled auto-merge (squash) July 11, 2026 12:30
@renovate renovate Bot changed the title chore(deps): update rust crate rand to 0.10.0 [security] chore(deps): update rust crate rand to v0.9.5 [security] Jul 11, 2026
@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 29152733406

Coverage increased (+0.01%) to 71.473%

Details

  • Coverage increased (+0.01%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 14958
Covered Lines: 10691
Line Coverage: 71.47%
Coverage Strength: 114.25 hits per line

💛 - Coveralls

@renovate renovate Bot merged commit 4d7e26b into main Jul 11, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant