CVE-2021-27378

Advisory

Onefuzz 2.5.0 updates its Rust dependency 'rand_core' to v0.6.2 to include a security fix.
https://github.com/microsoft/onefuzz/pull/548

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Added
* CLI: Added the ability to poll task status until the tasks have started to managed templates using `--wait_for_running`. [532](https://github.com/microsoft/onefuzz/pull/532)
* CLI: Added a [libfuzzer-dotnet](docs/how-to/fuzzing-dotnet-with-libfuzzer.md) support. [535](https://github.com/microsoft/onefuzz/pull/535)
* Agent: Added `crashes_account` and `crashes_container` to [configuration value expansion](docs/command-replacements.md). [551](https://github.com/microsoft/onefuzz/pull/551)
* CLI: Added `onefuzz status job` and `onefuzz status project` to provide a user-friendly job status. [550](https://github.com/microsoft/onefuzz/pull/550)

Changed
* Agent: Logs and local telemetry from the agent now include the role (`agent` or `supervisor`) in recorded events. [527](https://github.com/microsoft/onefuzz/pull/527)
* Agent: Clarified the errors generated when libFuzzer coverage extraction fails [554](https://github.com/microsoft/onefuzz/pull/554)

Fixed
* Service: Handled `SkuNotAvailable` errors from Azure when creating scalesets. [557](https://github.com/microsoft/onefuzz/pull/557)
* Agent/Proxy: Updated multiple third-party Rust libraries. Addresses potential security issue [RUSTSEC-2021-0023](https://rustsec.org/advisories/RUSTSEC-2021-0023). [#548](https://github.com/microsoft/onefuzz/pull/548)

Resources

• https://pypi.org/project/onefuzz
• https://pyup.io/changelogs/onefuzz/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27378