Re: Upcoming security release for Wasmtime

83 views
Skip to first unread message

Alex Crichton

unread,
Nov 10, 2022, 2:52:01 PM11/10/22
to sec-an...@bytecodealliance.org
[Update 2022-10-10] Security releases available

Wasmtime 2.0.2 is now available on crates.io. Additionally, binary
releases are available on Github for the Wasmtime C-API shared library
and CLI at https://github.com/bytecodealliance/wasmtime/releases/tag/v2.0.2.
A 1.0.2 release is being prepared at
https://github.com/bytecodealliance/wasmtime/pull/5246 and should be
ready by the end of the day depending on CI cycle time.

This release fixes the following security issues rated HIGH:

* Data leakage between instances in the pooling allocator:
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-wh6w-3828-g9qf

This release fixes the following security issues rated MODERATE:

* Out of bounds read/write with zero-memory-pages configuration:
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-44mr-8vmm-wjhg

This release fixes the following security issues rated LOW:

* Out of bounds write in `wasmtime_trap_code` C API function:
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-h84q-m8rr-3v9q

On Mon, Nov 7, 2022 at 12:43 PM Alex Crichton <acri...@fastly.com> wrote:
>
> The Bytecode Alliance would like to announce a forthcoming security
> release of Wasmtime.
>
> The release will be made available on 2022-11-10 at approximately
> 19:00 UTC. Additionally, an advisory will be made available on the
> same date and time at https://github.com/advisories.
>
> The highest severity issue fixed in this release is HIGH, based on
> the classification scheme defined in the OpenSSL Security Policy.
Reply all
Reply to author
Forward
0 new messages