Clarify RUSTSEC-2020-0071 to mention that time was *setting* environment variables

[tbu-]

@briansmith wrote:

Oh, sorry, I forgot the main request I had: We should update the text of the RUSTSEC advisories and the related CVE with more explanation of the issue, as the current advisory text, though not totally wrong, not really helpful in helping people understand the issue.

[tarcieri]

Is there a specific change you're proposing here? AFAICT the current relevant text is:

This requires an environment variable to be set in a different thread than the affected functions.

[tbu-]

Yes, that it only requires an environment variable to be read in a different thread than the affected functions.

This requires an environment variable to be set read in a different thread than the affected functions.

If the vulnerability required setting an environment variable in another thread, it wouldn't be a vulnerability according to the discussion in #1190. The crate in question also sets environment variables though: #1258, so reading environment variables in another thread is enough to trigger the vulnerability.

[tarcieri]

Okay, want to open a PR with the proposed change?