diff --git a/RELEASES.md b/RELEASES.md
index 165709e1cf2f0..f719a2fd19c43 100644
--- a/RELEASES.md
+++ b/RELEASES.md
@@ -1,6 +1,7 @@
 Version 1.71.1 (2023-08-03)
 ===========================
 
+- [Fix CVE-2023-38497: Cargo did not respect the umask when extracting dependencies](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87)
 - [Fix bash completion for users of Rustup](https://github.com/rust-lang/rust/pull/113579)
 - [Do not show `suspicious_double_ref_op` lint when calling `borrow()`](https://github.com/rust-lang/rust/pull/112517)
 - [Fix ICE: substitute types before checking inlining compatibility](https://github.com/rust-lang/rust/pull/113802)
diff --git a/src/tools/cargo b/src/tools/cargo
index cfd3bbd8fe4fd..7f1d04c005308 160000
--- a/src/tools/cargo
+++ b/src/tools/cargo
@@ -1 +1 @@
-Subproject commit cfd3bbd8fe4fd92074dfad04b7eb9a923646839f
+Subproject commit 7f1d04c0053083b98fa50b69b6f56e339b0556a8