From 20d5786fe2cca68f389c03d4b4f079294ba32912 Mon Sep 17 00:00:00 2001
From: Pietro Albini <pietro.albini@ferrous-systems.com>
Date: Thu, 3 Aug 2023 10:59:50 +0200
Subject: [PATCH 1/2] update cargo to fix cve-2023-38497

---
 src/tools/cargo | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/cargo b/src/tools/cargo
index cfd3bbd8fe4fd..7f1d04c005308 160000
--- a/src/tools/cargo
+++ b/src/tools/cargo
@@ -1 +1 @@
-Subproject commit cfd3bbd8fe4fd92074dfad04b7eb9a923646839f
+Subproject commit 7f1d04c0053083b98fa50b69b6f56e339b0556a8

From 64611e15c7cd89e6bcd3ac573108b18b47f0830c Mon Sep 17 00:00:00 2001
From: Pietro Albini <pietro.albini@ferrous-systems.com>
Date: Thu, 3 Aug 2023 11:06:10 +0200
Subject: [PATCH 2/2] update release notes to include cve fix

---
 RELEASES.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/RELEASES.md b/RELEASES.md
index 165709e1cf2f0..f719a2fd19c43 100644
--- a/RELEASES.md
+++ b/RELEASES.md
@@ -1,6 +1,7 @@
 Version 1.71.1 (2023-08-03)
 ===========================
 
+- [Fix CVE-2023-38497: Cargo did not respect the umask when extracting dependencies](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87)
 - [Fix bash completion for users of Rustup](https://github.com/rust-lang/rust/pull/113579)
 - [Do not show `suspicious_double_ref_op` lint when calling `borrow()`](https://github.com/rust-lang/rust/pull/112517)
 - [Fix ICE: substitute types before checking inlining compatibility](https://github.com/rust-lang/rust/pull/113802)