tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

• Manipulate terminal title bars
• Clear screens or modify terminal display
• Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

• Logs user-provided input (form data, HTTP headers, query parameters, etc.)
• Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at [email protected].

If you believe you have found a security vulnerability in any tokio-rs project, please email us at [email protected].

tracing-attributes 0.1.30

Fixed

• Fix tracing::instrument regression around shadowing (#3311)

tracing-core 0.1.34

Changed

• Bump MSRV to 1.65 (#3033)

Fixed

• Do not compare references to pointers to compare pointers (#3236)

tracing-attributes 0.1.29

Changed

• Bump MSRV to 1.65 (#3033)

Fixed

• Let dead_code lint work on #[instrument]ed functions (#3108)
• Globally qualify attribute paths (#3126)

tracing-subscriber 0.3.19

[ crates.io ] | [ docs.rs ]

This release updates the tracing dependency to v0.1.41 and
the tracing-serde dependency to v0.2.0.

Added

• Add set_span_events to fmt::Subscriber (#2962)
• tracing: Allow &[u8] to be recorded as event/span field (#2954)

Changed

• Set log max level when reloading (#1270)
• Bump MSRV to 1.63 (#2793)
• Use const thread_locals when possible (#2838)
• Don't gate with_ansi() on the "ansi" feature (#3020)
• Updated tracing-serde to 0.2.0 (#3160)

tracing-journald 0.3.1

[ crates.io ] | [ docs.rs ]

Changed

• disable default features of tracing-subscriber (#1476)
• allow custom journal fields (#2708)
• Bump MSRV to 1.63 (#2793)
• make level mappings configurable (#2824)

tracing-error 0.2.1

[ crates.io ] | [ docs.rs ]

Changed

• Bump MSRV to 1.63 (#2793)

Documented

• Use intra-doc links instead of relative file paths (#2068)
• More intra-doc links (#2077)
• Add missing backtick to prelude docs (#2120)

tracing-mock 0.1.0-beta.1

[ crates.io ] | [ docs.rs ]

tracing-mock provides tools for making assertions about what tracing
diagnostics are emitted by code under test.

• Initial beta release

tracing-serde 0.2.0

[ crates.io ] | [ docs.rs ]

Breaking Changes

• Correct SerializeField definition and doc formatting (#3040)
  SerializeField has gained a generic lifetime parameter.

Fixed

• Implement AsSerde for FieldSet (#2241)
• breaking Correct SerializeField definition and doc formatting (#3040)

Changed

• Bump MSRV to 1.63 ([#2793])

tracing 0.1.41

[ crates.io ] | [ docs.rs ]

This release updates the tracing-core dependency to v0.1.33 and
the tracing-attributes dependency to v0.1.28.

Added

• core: Add index API for Field (#2820)
• core: Allow &[u8] to be recorded as event/span field (#2954)

Changed

• Bump MSRV to 1.63 (#2793)
• core: Use const thread_locals when possible (#2838)

Fixed

• Removed core imports in macros (#2762)
• attributes: Added missing RecordTypes for instrument (#2781)
• attributes: Change order of async and unsafe modifier (#2864)
• Fix missing field prefixes (#2878)
• attributes: Extract match scrutinee (#2880)
• Fix non-simple macro usage without message (#2879)
• Fix event macros with constant field names in the first position (#2883)
• Allow field path segments to be keywords (#2925)
• core: Fix missed register_callsite error (#2938)
• attributes: Support const values for target and name (#2941)
• Prefix macro calls with ::core to avoid clashing with local macros (#3024)