113 issues were identified within Rust Coreutils
17 hours ago
- #Ubuntu
- #rust-coreutils
- #security audit
- Ubuntu commissioned an independent security audit from Zellic for rust-coreutils after internal review raised concerns.
- The audit was conducted in two rounds: high-priority utilities (Dec 2025-Jan 2026) and remaining utilities (Feb-Mar 2026).
- A total of 113 security issues were identified, with the majority addressed by the upstream uutils community.
- Ubuntu 26.04 LTS includes rust-coreutils version 0.8.0 with most fixes, but cp, mv, and rm remain GNU coreutils due to unresolved TOCTOU issues.
- Full migration to rust-coreutils is targeted for Ubuntu 26.10, following the resolution of remaining security concerns.
- Multiple CVEs (CVE-2026-35338 to CVE-2026-35381) were disclosed as part of the audit findings.