File cargo-audit-advisory-db.changes of Package cargo-audit-advisory-db
------------------------------------------------------------------- Tue Oct 21 02:38:22 UTC 2025 - william.brown@suse.com - Update to version 20251021: * Mark all rust-unic crates as unmaintained (#2424) * fix: RUSTSEC-2025-0073 (`alloy-dyn-abi`), update to description and credit (#2423) * Assigned RUSTSEC-2025-0073 to alloy-dyn-abi * Add CVE-2025-62370 `alloy-dyn-abi` (#2421) * Assigned RUSTSEC-2025-0072 to wrflib * add wrflib * add io-safety keyword to RUSTSEC-2025-0051 * Assigned RUSTSEC-2025-0071 to ammonia * ammonia v4.1.2 * Assigned RUSTSEC-2025-0070 to pingora-core ------------------------------------------------------------------- Sat Sep 13 01:09:23 UTC 2025 - william.brown@suse.com - Update to version 20250913: * Assigned RUSTSEC-2025-0067 to libyml, RUSTSEC-2025-0068 to serde_yml * explain why the alternatives are mentioned * mark both unsound * Add unmaintained libyml and serde_yml * Assigned RUSTSEC-2021-0154 to fuser * Add advisory for fuser * Assigned RUSTSEC-2025-0066 to google-apis-common * Add advisory (deprecated) for `google-apis-common` * Assigned RUSTSEC-2025-0065 to matrix-sdk-base * Fix candidate advisory ID ------------------------------------------------------------------- Wed May 07 03:31:11 UTC 2025 - william.brown@suse.com - Update to version 20250507: * RUSTSEC-2025-0028: Indicate 'cve-rs' is a joke * RUSTSEC-2025-0030: Indicate 'totally-safe-transmute' is a toy. * Adjust patched versions in mp3-metadata advisory * Assigned RUSTSEC-2025-0032 to redox_uefi_std * Out of bounds read in redux_uefi_std (#2263) * Assigned RUSTSEC-2025-0031 to tanton_engine * tanton_engine: unsound public API (#2286) * Assigned RUSTSEC-2025-0028 to cve-rs, RUSTSEC-2025-0029 to totally-safe, RUSTSEC-2025-0030 to totally-safe-transmute * Report unsoundness in `cve-rs`, `totally-safe-transmute` and `totally-safe` (#2221) * Assigned RUSTSEC-2023-0090 to wasmtime, RUSTSEC-2022-0095 to wasmtime, RUSTSEC-2022-0096 to wasmtime, RUSTSEC-2022-0097 to wasmtime, RUSTSEC-2023-0091 to wasmtime, RUSTSEC-2022-0098 to wasmtime, RUSTSEC-2022-0099 to wasmtime, RUSTSEC-2023-0092 to wasmtime, RUSTSEC-2024-0438 to wasmtime, RUSTSEC-2024-0439 to wasmtime, RUSTSEC-2024-0440 to wasmtime, RUSTSEC-2024-0441 to wasmtime, RUSTSEC-2022-0100 to wasmtime, RUSTSEC-2022-0101 to wasmtime, RUSTSEC-2023-0093 to wasmtime, RUSTSEC-2022-0102 to wasmtime ------------------------------------------------------------------- Fri Apr 11 02:21:43 UTC 2025 - william.brown@suse.com - Update to version 20250411: * Assigned RUSTSEC-2025-0024 to crossbeam-channel (#2278) * Add crossbeam-channel advisory re upstream MR #1187 (#2277) * Update patched version list for RUSTSEC-2025-0023 * Add references to RUSTSEC-2025-0021 * Assigned RUSTSEC-2025-0023 to tokio (#2273) * Add unsound advisory for Tokio 7232 (#2272) * Change our policy from 90 days to 270 days for unmaintained (#2032) * Assigned RUSTSEC-2025-0022 to openssl (#2271) * Added rustsec advisory for two UAFs in rust-openssl (#2270) * Assigned RUSTSEC-2025-0021 to gix-features (#2269) ------------------------------------------------------------------- Tue Mar 04 01:06:21 UTC 2025 - william.brown@suse.com - Update to version 20250304: * openh264-sys is not a notice, it's a vuln (#2234) * Assigned RUSTSEC-2025-0008 to openh264-sys2 (#2232) * `openh264-sys2` upstream heap overflow. (#2231) * *ring* is maintained again, withdraw 2025-0007. (#2230) * Assigned RUSTSEC-2025-0007 to ring (#2229) * Add unmaintained advisory for *ring* (#2228) * Assigned RUSTSEC-2024-0435 to fyrox-core (#2224) * Report unsoundness and patch in fyrox-core (#2172) * vec-const is gone from crates.io, update linter to fix CI (#2223) * Assigned RUSTSEC-2025-0006 to hickory-proto (#2222) ------------------------------------------------------------------- Tue Feb 04 04:38:07 UTC 2025 - william.brown@suse.com - Update to version 20250204: * Assigned RUSTSEC-2025-0004 to openssl (#2218) * Add advisory for `openssl ssl::select_next_proto` UAF (#2217) * Add patch version for RUSTSEC-2021-0087.md (#2216) * Assigned RUSTSEC-2025-0002 to fast-float2, RUSTSEC-2025-0003 to fast-float (#2213) * Add advisory for segmentation fault in fast-float and fast-float2 (#2192) * Add global GHSA and references to RUSTSEC-2025-0001 (#2207) * README.md: bump database maintenance year to 2025 (#2208) * Assigned RUSTSEC-2024-0434 to matrix-sdk-crypto (#2205) * Remove listing of unix-likes from advisory (#2206) * Add CVE-2024-52813 for matrix-sdk-crypto (#2204) ------------------------------------------------------------------- Wed Oct 30 01:03:16 UTC 2024 - william.brown@suse.com - Update to version 20241030: * Fix incorrect fixed version for may_queue (#2106) * Add missing information about fixed versions (#2105) * Assigned RUSTSEC-2024-0378 to pyo3 (#2102) * risk of use-after-free in PyO3 borrowing from weak refrences (#2101) * Assigned RUSTSEC-2024-0377 to dbn (#2099) * Dbn heap buffer overflow (#2097) * Update RUSTSEC-2024-0376 affected versions (#2094) * Assigned RUSTSEC-2024-0376 to tonic (#2092) * Add advisory for CVE-2024-47609 in tonic (#2091) * Assigned RUSTSEC-2024-0375 to atty (#2090) ------------------------------------------------------------------- Wed Sep 04 00:24:50 UTC 2024 - william.brown@suse.com - Update to version 20240904: * Make small readability improvements in RUSTSEC-2023-0064 (#2064) * Add global GHSA reference for RUSTSEC-2024-0367 (config scopes) (#2063) * Assigned RUSTSEC-2024-0368 to olm-sys (#2062) * Add advisory for olm-sys (unmaintained, crypto failure) (#2060) * Add CVE number for RUSTSEC-2024-0367 (config scopes) (#2061) * Assigned RUSTSEC-2024-0367 to gix-path (#2058) * Advisory for GHSA-v26r-4c9c-h3j6 (config scopes) in gix-path (#2055) * Assigned RUSTSEC-2024-0366 to cosmwasm-vm (#2053) * Add cosmwasm-vm advisory CWA-2023-004 (#2052) * update resolution for RUSTSEC-2024-0363 (sqlx) (#2050) ------------------------------------------------------------------- Tue Jul 30 02:41:17 UTC 2024 - william.brown@suse.com - Update to version 20240730: * Assigned RUSTSEC-2024-0360 to xmp_toolkit (#2030) * Unsoundness notice for xmp_toolkit < 1.9.0 (#2029) * Assigned RUSTSEC-2024-0359 to gix-attributes (#2028) * Unsoundness notice for gix-attributes (kstring integration) (#2027) * Assigned RUSTSEC-2024-0358 to object_store (#2026) * Add advisory for object_store credentials leak via logs (#2025) * Assigned RUSTSEC-2024-0357 to openssl (#2022) * Added advisory for undefined behavior in openssl (#2021) * Assigned RUSTSEC-2024-0356 to matrix-sdk-crypto (#2019) * Add CVE-2024-40648 for matrix-sdk-crypto (#2018) ------------------------------------------------------------------- Tue May 28 05:56:45 UTC 2024 - william.brown@suse.com - Update to version 20240528: * Add some civility language to HOWTO_UNMAINTAINED.md (#1972) * Synchronize IDs (2024-05-21) (#1966) * Assigned RUSTSEC-2024-0342 to vodozemac (#1965) * Add CVE-2024-34063 for vodozemac (#1955) * Assigned RUSTSEC-2024-0341 to tls-listener (#1964) * Assigned RUSTSEC-2024-0340 to tor-circmgr (#1963) * add CVE-2024-28854 for tls-listener (#1926) * Add advisory for tor-circmgr TROVE-2024-004 (#1958) * Assigned RUSTSEC-2024-0339 to tor-circmgr (#1962) * Add advisory for tor-circmgr TROVE-2024-003 (#1957) ------------------------------------------------------------------- Sat Mar 30 04:06:18 UTC 2024 - william.brown@suse.com - Update to version 20240330: * Assigned (#1924) * Add an unmaintained crate advisory for yaml-rust (#1922) * Assigned RUSTSEC-2023-0085 to hpack (#1920) * Add hpack panics (#1919) * Assigned RUSTSEC-2024-0021 to eyre, RUSTSEC-2023-0084 to hpack (#1916) * eyre: Parts of Report are dropped as the wrong type during downcast (#1918) * Add security advisory for unmaintained hpack crate (#1915) * update RUSTSEC-2024-0020 with additional information (#1913) * Assigned RUSTSEC-2024-0020 to whoami (#1912) * Add advisory for stack buffer overflow with whoami (#1911) ------------------------------------------------------------------- Tue Dec 19 02:11:18 UTC 2023 - william.brown@suse.com - Update to version 20231219: * Assigned RUSTSEC-2023-0074 to zerocopy (#1839) * zerocopy: Some Ref methods are unsound with some type params (#1837) * Update CVSS score of RUSTSEC-2023-0071 (#1838) * Assigned RUSTSEC-2023-0073 to candid (#1835) * Add advisory for candid library decoding DoS vulnerability (#1834) * RUSTSEC-2023-0071: add CVE-2023-49092 as alias (#1830) * RUSTSEC-2023-0071.md: use '###' section headers (#1829) * RUSTSEC-2023-0071: add CVSS, aliases, and new wording (#1828) * Assigned RUSTSEC-2023-0072 to openssl (#1827) * `openssl` `X509StoreRef::objects` is unsound (#1824) ------------------------------------------------------------------- Fri Oct 27 03:02:30 UTC 2023 - william.brown@suse.com - Update to version 20231027: * Assigned RUSTSEC-2023-0068 to cocoon (#1810) * cocoon: sequential calls of encryption API result in nonce reuse (<=0.3.3) (#1805) * Updating information about replacements (#1803) * Assigned RUSTSEC-2023-0067 to fehler (#1801) * fehler is unmaintained (#1800) * Assigned RUSTSEC-2023-0066 to pleaser (#1799) * Document the privilege-escalation vulnerability in pleaser. (#1798) * Update webpki RUSTSEC-2023-0052 advisory. (#1797) * Assigned RUSTSEC-2023-0065 to tungstenite (#1796) * Create advisory for tungstenite DoS (#1795) ------------------------------------------------------------------- Sat Oct 07 01:19:51 UTC 2023 - william.brown@suse.com - Update to version 20231007: * Assigned RUSTSEC-2023-0066 to pleaser (#1799) * Document the privilege-escalation vulnerability in pleaser. (#1798) * Update webpki RUSTSEC-2023-0052 advisory. (#1797) * Assigned RUSTSEC-2023-0065 to tungstenite (#1796) * Create advisory for tungstenite DoS (#1795) * Add patch version (#1794) * Update info about CVE-2023-5129 (#1793) * Bump rustsec-admin to 0.8.8 (#1791) * Assigned RUSTSEC-2023-0064 to gix-transport (#1790) * Add notice to gix-transport crate (#1789) ------------------------------------------------------------------- Thu Aug 17 23:38:35 UTC 2023 - william.brown@suse.com - Update to version 20230818: * Assigned RUSTSEC-2022-0093 to ed25519-dalek (#1745) * Add Double Public Key Signing Function Oracle Attack on `ed25519-dalek` (#1744) * Assigned RUSTSEC-2023-0049 to tui (#1740) * Add unmaintained `tui` advisory (#1739) * Update aliases from GHSA OSV export (#1734) * Assigned RUSTSEC-2023-0048 to intaglio (#1733) * Add advisory for unsoundness in intaglio symbol interners (#1732) * Assigned RUSTSEC-2023-0047 to lmdb-rs (#1730) * report unsoundness of lmdb-rs (#1724) * Fix typos (#1729) ------------------------------------------------------------------- Mon Jul 31 04:07:19 UTC 2023 - william.brown@suse.com - Update to version 20230731: * Update aliases from GHSA OSV export (#1734) * Assigned RUSTSEC-2023-0048 to intaglio (#1733) * Add advisory for unsoundness in intaglio symbol interners (#1732) * Assigned RUSTSEC-2023-0047 to lmdb-rs (#1730) * report unsoundness of lmdb-rs (#1724) * Fix typos (#1729) * Bump rustsec-admin to 0.8.6 (#1728) * Update aliases from GHSA OSV export (#1727) * Update RUSTSEC-2021-0145.md with stable IsTerminal (#1725) * Assigned RUSTSEC-2023-0046 to cyfs-base (#1723) ------------------------------------------------------------------- Tue Jul 11 00:47:33 UTC 2023 - william.brown@suse.com - Update to version 20230711: * Bump rustsec-admin to 0.8.6 (#1728) * Update aliases from GHSA OSV export (#1727) * Update RUSTSEC-2021-0145.md with stable IsTerminal (#1725) * Assigned RUSTSEC-2023-0046 to cyfs-base (#1723) * report misaligned pointer dereference in cyfs-base (#1718) * Assigned RUSTSEC-2023-0045 to memoffset (#1722) * Add advisory to `memoffset` (#1721) * Assigned RUSTSEC-2023-0044 to openssl (#1720) * Report buffer-overread in OpenSSL (#1719) * Update RUSTSEC-2023-0042 to reflect patch. (#1717) ------------------------------------------------------------------- Tue May 30 04:33:12 UTC 2023 - william.brown@suse.com - Update to version 20230530: * Suggest kuchikiki as an alternative to kuchiki (#1698) * Assigned RUSTSEC-2023-0037 to xsalsa20poly1305 (#1695) * xsalsa20poly1305 is unmaintained (#1694) * xml-rs is maintained (#1691) * Assigned RUSTSEC-2023-0036 to tree_magic (#1689) * Add unmaintained tree_magic crate (#1678) * Assigned RUSTSEC-2023-0035 to enumflags2 (#1688) * enumflags2::make_bitflags unsoundness (#1686) * Assigned RUSTSEC-2023-0034 to h2 (#1687) * Add advisory for h2: resource exhaustion vulnerability may lead to DoS (#1684) ------------------------------------------------------------------- Tue May 23 04:42:24 UTC 2023 - william.brown@suse.com - Update to version 20230523: * Assigned RUSTSEC-2023-0037 to xsalsa20poly1305 (#1695) * xsalsa20poly1305 is unmaintained (#1694) * xml-rs is maintained (#1691) * Assigned RUSTSEC-2023-0036 to tree_magic (#1689) * Add unmaintained tree_magic crate (#1678) * Assigned RUSTSEC-2023-0035 to enumflags2 (#1688) * enumflags2::make_bitflags unsoundness (#1686) * Assigned RUSTSEC-2023-0034 to h2 (#1687) * Add advisory for h2: resource exhaustion vulnerability may lead to DoS (#1684) * Fix typos in RUSTSEC-2023-0033 (#1685) ------------------------------------------------------------------- Thu Apr 13 01:00:08 UTC 2023 - william.brown@suse.com - Update to version 20230413: * Bump peter-evans/create-pull-request from 4 to 5 (#1677) * Withdraw RUSTSEC-2021-0147 (#1676) * Assigned RUSTSEC-2023-0032 to ntru (#1674) * Add unsound ntru (#1652) * Assigned RUSTSEC-2023-0031 to spin (#1673) * Added unsound `spin` (#1671) * Assigned RUSTSEC-2023-0030 to versionize (#1669) * Add advisory for versionize crate (#1662) * Assigned RUSTSEC-2023-0029 to nats (#1668) * Fix `nats` directory (#1667) ------------------------------------------------------------------- Thu Feb 23 00:12:48 UTC 2023 - william.brown@suse.com - Update to version 20230223: * Assigned RUSTSEC-2022-0090 to libsqlite3-sys (#1607) * Add sqlite advisory (#1599) * Assigned RUSTSEC-2023-0014 to cortex-m-rt (#1606) * Add soundness advisory for cortex-m-rt (#1601) * Update RUSTSEC-2020-0097.md (#1600) * Better docs (#1598) * Assigned RUSTSEC-2020-0167 to pnet_packet (#1596) * Fix some typos (#1593) * Add advisory for pnet_packet (#1595) * Update RUSTSEC-2020-0071.md (#1594) ------------------------------------------------------------------- Tue Jan 17 03:29:22 UTC 2023 - william.brown@suse.com - Update to version 20230117: * Assigned RUSTSEC-2022-0080 to parity-util-mem (#1530) * Add parity-util-mem unmaintained (#1528) * Assigned RUSTSEC-2021-0146 to twoway (#1529) * Add unmaintained `twoway` (#1435) * Assigned RUSTSEC-2022-0079 to elf_rs (#1527) * Add advisory for elf_rs crate (#1450) * Update RUSTSEC-2021-0088.md (#1512) * Assigned RUSTSEC-2022-0078 to bumpalo (#1526) * Add advisory for bumpalo Vec iterator unsoundness (#1525) * Assigned RUSTSEC-2022-0077 to claim (#1523) ------------------------------------------------------------------- Tue Nov 01 22:16:48 UTC 2022 - william.brown@suse.com - Update to version 20221102: * Assigned RUSTSEC-2022-0065 to openssl-src (#1455) * CVE-2022-3786 in openssl (#1453) * Assigned RUSTSEC-2022-0064 to openssl-src (#1454) * CVE-2022-3602 in openssl (#1452) * Assigned RUSTSEC-2022-0063 to linked_list_allocator (#1449) * Add CVE-2022-36086 for linked_list_allocator (#1448) * Assigned RUSTSEC-2022-0062 to matrix-sdk (#1445) * Add advisory for logging of access tokens in matrix-sdk (#1444) * Assigned RUSTSEC-2022-0061 to parity-wasm (#1443) * Add unmaintained `parity-wasm` (#1441) ------------------------------------------------------------------- Wed Sep 28 01:22:33 UTC 2022 - william.brown@suse.com - Update to version 20220928: * Assigned RUSTSEC-2022-0056 to clipboard (#1425) * Add unmaintained `clipboard` (#1267) * Fix informational footnote wording (#1420) * Add `stylish` as `ansi_term` alternative (#1421) * Assigned RUSTSEC-2022-0055 to axum-core (#1419) * Add `axum-core` DoS (#1417) * Assigned RUSTSEC-2021-0144 to traitobject (#1415) * Add unmaintained `traitobject` (#1390) * Assigned RUSTSEC-2019-0039 to typemap (#1414) * Add unmaintained `typemap` (#1406) ------------------------------------------------------------------- Wed May 11 01:12:29 UTC 2022 - wbrown@suse.de - Update to version 20220511: * Assigned RUSTSEC-2022-0022 to hyper (#1235) * add hyper advisory (#1232) * Assigned RUSTSEC-2022-0019 to crossbeam-channel, RUSTSEC-2022-0020 to crossbeam, RUSTSEC-2022-0021 to crossbeam-queue (#1233) * add crossbeam advisories for incorrect (unsound) zeroed memory (#1231) * Assigned RUSTSEC-2022-0018 to totp-rs (#1230) * Possible timing attack in totp-rs (#1229) * HOWTO_UNMAINTAINED.md: guide for unmaintained crate advisories (#1192) * Assigned RUSTSEC-2022-0017 to array-macro (#1225) * Add advisory for using impure constants in array-macro (#1224) * Add patch version for fruity (#1223) ------------------------------------------------------------------- Thu Apr 28 02:57:45 UTC 2022 - wbrown@suse.de - Update to version 20220428: * Assigned RUSTSEC-2022-0017 to array-macro (#1225) * Add advisory for using impure constants in array-macro (#1224) * Add patch version for fruity (#1223) * Update RUSTSEC-2020-0071.md (#1222) * RUSTSEC-2022-0012: note that v0.10.0+ is patched (#1220) * Assigned RUSTSEC-2022-0016 to wasmtime (#1218) * Add CVE-2022-24791 for Wasmtime (#1217) * Assigned RUSTSEC-2022-0015 to pty (#1215) * Add unmaintained advisory for pty (#1213) * Assigned RUSTSEC-2022-0014 to openssl-src (#1211) ------------------------------------------------------------------- Wed Apr 20 00:36:52 UTC 2022 - wbrown@suse.de - Update to version 20220420: * Add patch version for fruity (#1223) * Update RUSTSEC-2020-0071.md (#1222) * RUSTSEC-2022-0012: note that v0.10.0+ is patched (#1220) * Assigned RUSTSEC-2022-0016 to wasmtime (#1218) * Add CVE-2022-24791 for Wasmtime (#1217) * Assigned RUSTSEC-2022-0015 to pty (#1215) * Add unmaintained advisory for pty (#1213) * Assigned RUSTSEC-2022-0014 to openssl-src (#1211) * Add CVE-2022-0778 for openssl-src (#1210) * Assigned RUSTSEC-2022-0013 to regex (#1208) ------------------------------------------------------------------- Wed Mar 30 01:47:58 UTC 2022 - William Brown <william.brown@suse.com> - Resolve issue with obs install check on non-tier1 arches ------------------------------------------------------------------- Wed Mar 23 10:54:26 UTC 2022 - wbrown@suse.de - Update to version 20220323: * Assigned RUSTSEC-2022-0015 to pty (#1215) * Add unmaintained advisory for pty (#1213) * Assigned RUSTSEC-2022-0014 to openssl-src (#1211) * Add CVE-2022-0778 for openssl-src (#1210) * Assigned RUSTSEC-2022-0013 to regex (#1208) * add cve-2022-24713 (#1207) * mark RUSTSEC-2021-0019 fixed, add references (#1206) * RUSTSEC-2021-0134: Remove recursive_reference from the list of alternatives (#1200) * Assigned RUSTSEC-2022-0012 to arrow2 (#1205) * Added advisory for `arrow2::ffi::Ffi_ArrowArray` double free (#1204) ------------------------------------------------------------------- Fri Mar 11 03:15:25 UTC 2022 - wbrown@suse.de - Update to version 20220311: * Assigned RUSTSEC-2022-0013 to regex (#1208) * add cve-2022-24713 (#1207) * mark RUSTSEC-2021-0019 fixed, add references (#1206) * RUSTSEC-2021-0134: Remove recursive_reference from the list of alternatives (#1200) * Assigned RUSTSEC-2022-0012 to arrow2 (#1205) * Added advisory for `arrow2::ffi::Ffi_ArrowArray` double free (#1204) * Assigned RUSTSEC-2022-0011 to rust-crypto (#1202) * `rust-crypto`: miscomputation when performing AES encryption (#1201) * Update RUSTSEC-2020-0150.md (#1199) * Assigned RUSTSEC-2022-0010 to enum-map (#1198) ------------------------------------------------------------------- Tue Feb 15 00:57:25 UTC 2022 - wbrown@suse.de - Update to version 20220215: * Suggest maintained alternatives for Rental advisory (#1187) * Update RUSTSEC-2022-0009.md (#1186) * Assigned RUSTSEC-2020-0162 to tokio-proto (#1185) * Mark tokio-proto as deprecated (#1184) * Assigned RUSTSEC-2022-0009 to libp2p-core (#1183) * Add entry for libp2p-core vulnerability (#1182) * Add patched version to DashMap advisory (#1181) * Assigned RUSTSEC-2022-0008 to windows (#1178) * Add advisory for windows (#1177) * Assigned RUSTSEC-2022-0007 to qcell (#1172) ------------------------------------------------------------------- Wed Jan 05 02:13:49 UTC 2022 - wbrown@suse.de - Update to version 20220105: * Assigned RUSTSEC-2021-0134 to rental (#1137) * Report that rental is no longer maintained (#1136) * Assigned RUSTSEC-2020-0160 to shamir (#1135) * Turn the issue about shamir into an advisory (#1134) * Assigned RUSTSEC-2021-0133 to cargo-download (#1133) * Mark cargo-download unmaintained (#1132) * Mark arrow advisories as fixed in https://github.com/apache/arrow-rs/issues/817 (#1131) * Assigned RUSTSEC-2021-0132 to compu-brotli-sys (#1130) * CVE-2020-8927 for compu-brotli-sys (#1129) * Assigned RUSTSEC-2021-0131 to brotli-sys (#1128) ------------------------------------------------------------------- Fri Dec 10 04:08:52 UTC 2021 - wbrown@suse.de - Update to version 20211210: * Assigned RUSTSEC-2021-0128 to rusqlite (#1120) * Report `rusqlite` closure lifetime issue (#1117) * correct formatting for lists in RUSTSEC-2021-0127 (#1116) * Assigned RUSTSEC-2021-0127 to serde_cbor (#1115) * serde_cbor is unmaintained (#1114) * Assigned RUSTSEC-2021-0126 to rust-embed (#1113) * Add advisory for rust-embed path traversal (#1112) * Adds maintained alternative to slice_deque (#1109) * Assigned RUSTSEC-2021-0125 to simple_asn1 (#1108) * Security advisory on simple_asn1 version 0.6.0 (#1103) ------------------------------------------------------------------- Tue Nov 30 02:12:58 UTC 2021 - wbrown@suse.de - Update to version 20211130: * Assigned RUSTSEC-2021-0126 to rust-embed (#1113) * Add advisory for rust-embed path traversal (#1112) * Adds maintained alternative to slice_deque (#1109) * Assigned RUSTSEC-2021-0125 to simple_asn1 (#1108) * Security advisory on simple_asn1 version 0.6.0 (#1103) * Assigned RUSTSEC-2021-0124 to tokio (#1107) * Add advisory for tokio-rs/tokio#4225 (#1106) * Add CVE for RUSTSEC-2021-0123 (#1105) * Assigned RUSTSEC-2021-0123 to fruity (#1104) * Add fruity advisory for nvzqz/fruity#14 (#1102) ------------------------------------------------------------------- Fri Nov 12 00:17:17 UTC 2021 - wbrown@suse.de - Update to version 20211112: * Assigned RUSTSEC-2021-0122 to flatbuffers (#1100) * Add `flatbuffers` advisory for flatbuffers#6627 (#1093) * add cve info to advisories (#1099) * Bump `rustsec-admin` to v0.5.3 (#1091) * Add cvss information from nvd (#1085) * Add missing method to time vulnerability (#1086) * Add CVE alias for RUSTSEC-2021-0069 (#1087) * Assigned RUSTSEC-2021-0121 to crypto2 (#1084) * Unsound implementation of Chacha20 in crypto2 (#1072) * Assigned RUSTSEC-2020-0159 to chrono (#1083) ------------------------------------------------------------------- Wed Nov 03 00:32:55 UTC 2021 - wbrown@suse.de - Update to version 20211103: * Bump `rustsec-admin` to v0.5.3 (#1091) * Add cvss information from nvd (#1085) * Add missing method to time vulnerability (#1086) * Add CVE alias for RUSTSEC-2021-0069 (#1087) * Assigned RUSTSEC-2021-0121 to crypto2 (#1084) * Unsound implementation of Chacha20 in crypto2 (#1072) * Assigned RUSTSEC-2020-0159 to chrono (#1083) * Add `chrono` advisory for chrono#499 (localtime_r) (#1082) * Update vec-const advisory (#1081) * Assigned RUSTSEC-2021-0120 to abomonation (#1080) ------------------------------------------------------------------- Sun Oct 24 23:45:27 UTC 2021 - wbrown@suse.de - Update to version 20211025: * Bump `rustsec-admin` to v0.5.3 (#1091) * Add cvss information from nvd (#1085) * Add missing method to time vulnerability (#1086) * Add CVE alias for RUSTSEC-2021-0069 (#1087) * Assigned RUSTSEC-2021-0121 to crypto2 (#1084) * Unsound implementation of Chacha20 in crypto2 (#1072) * Assigned RUSTSEC-2020-0159 to chrono (#1083) * Add `chrono` advisory for chrono#499 (localtime_r) (#1082) * Update vec-const advisory (#1081) * Assigned RUSTSEC-2021-0120 to abomonation (#1080) ------------------------------------------------------------------- Tue Oct 19 01:15:12 UTC 2021 - wbrown@suse.de - Update to version 20211019: * Assigned RUSTSEC-2021-0121 to crypto2 (#1084) * Unsound implementation of Chacha20 in crypto2 (#1072) * Assigned RUSTSEC-2020-0159 to chrono (#1083) * Add `chrono` advisory for chrono#499 (localtime_r) (#1082) * Update vec-const advisory (#1081) * Assigned RUSTSEC-2021-0120 to abomonation (#1080) * Report abomonation as unsound (#1079) * Update RUSTEC-2020-0071 (#1078) * add missing cve info to advisories (#1077) * Add CVE information to RUSTSEC-2020-0142 (#1076) ------------------------------------------------------------------- Mon Oct 04 21:21:06 UTC 2021 - wbrown@suse.de - Update to version 20211005: * add CVE information to RUSTSEC-2021-0080 (#1068) * Add CVE information (#1067) * Assigned RUSTSEC-2021-0119 to nix (#1066) * nix::unistd::getgrouplist buffer overflow (#1060) * Assigned RUSTSEC-2021-0118 to arrow (#1064) * Yet another arrow advisory (#1059) * Assigned RUSTSEC-2021-0117 to arrow (#1063) * arrow DecimalArray advisory (#1058) * Assigned RUSTSEC-2021-0116 to arrow (#1062) * arrow BinaryArray advisory (#1057) ------------------------------------------------------------------- Mon Aug 02 02:47:18 UTC 2021 - wbrown@suse.de - Update to version 20210802: * Assigned RUSTSEC-2021-0077 to better-macro (#969) * better-macro has deliberate RCE in proc-macro (#966) * Assigned RUSTSEC-2021-0076 to libsecp256k1 (#964) * Add advisory for libsecp256k1 (#963) * Assigned RUSTSEC-2021-0075 to ark-r1cs-std (#962) * `ark_r1cs_std::mul_by_inverse` generated unsound constraints in versions below `0.3.1` (#961) * Revert "Hotfix #957 until we figure out what to do with it (#958)" (#960) * Assigned RUSTSEC-2021-0074 to ammonia (#959) * Add rust-ammonia/ammonia#142 (#956) * Hotfix #957 until we figure out what to do with it (#958) ------------------------------------------------------------------- Wed Jul 21 04:16:56 UTC 2021 - wbrown@suse.de - Update to version 20210721: * Assigned RUSTSEC-2021-0076 to libsecp256k1 (#964) * Add advisory for libsecp256k1 (#963) * Assigned RUSTSEC-2021-0075 to ark-r1cs-std (#962) * `ark_r1cs_std::mul_by_inverse` generated unsound constraints in versions below `0.3.1` (#961) * Revert "Hotfix #957 until we figure out what to do with it (#958)" (#960) * Assigned RUSTSEC-2021-0074 to ammonia (#959) * Add rust-ammonia/ammonia#142 (#956) * Hotfix #957 until we figure out what to do with it (#958) * Assigned RUSTSEC-2021-0073 to prost-types (#955) * prost-types: Timestamp conversion overflow (#954) ------------------------------------------------------------------- Fri Jul 02 01:00:10 UTC 2021 - wbrown@suse.de - Update to version 20210702: * Fix RUSTSEC-2021-0048 which doesn't declare an operand (#945) * Add `withdrawn` field (#942) * Bump `rustsec-admin` to v0.5.0 (#944) * Add patched version for flatbuffers RUSTSEC-2020-0009 (#943) * Update RUSTSEC-2021-0049.md (#941) * Assigned RUSTSEC-2021-0071 to grep-cli (#940) * crates/grep-cli: add advisory for arbitrary binary execution on Windows (#939) * Add GHSA mentions to `aliases` field. This is becoming more important with OSV enabling interop between databases (#937) * Update RUSTSEC-2020-0043.md (#934) * Assigned RUSTSEC-2021-0070 to nalgebra (#932) ------------------------------------------------------------------- Sat Jun 19 06:27:26 UTC 2021 - wbrown@suse.de - Update to version 20210619: * Update RUSTSEC-2021-0049.md (#941) * Assigned RUSTSEC-2021-0071 to grep-cli (#940) * crates/grep-cli: add advisory for arbitrary binary execution on Windows (#939) * Add GHSA mentions to `aliases` field. This is becoming more important with OSV enabling interop between databases (#937) * Update RUSTSEC-2020-0043.md (#934) * Assigned RUSTSEC-2021-0070 to nalgebra (#932) * Add advisory for nalgebra VecStorage/MatrixVec (#931) * Remove range overlaps, fix some range specifications (#930) * Make ranges in trust-dns-proto advisory non-overlapping (#929) * Assigned RUSTSEC-2021-0069 to lettre (#925) ------------------------------------------------------------------- Tue Jun 01 01:28:10 UTC 2021 - wbrown@suse.de - Update to version 20210601: * Assigned RUSTSEC-2021-0069 to lettre (#925) * Add lettre smtp vulnerability (#924) * Assigned RUSTSEC-2021-0068 to iced-x86 (#923) * iced-x86: fix lint (#922) * Add advisory for iced-x86 soundness bug (#914) * Assigned RUSTSEC-2021-0067 to cranelift-codegen (#921) * fixes #915 - remove duplicate word (#916) * Add RUSTSEC notice for CVE-2021-32629, a Cranelift miscompilation bug. (#918) * Bump rustsec-admin to v0.4.3 (#919) * evm-core: fix crate name (#911) ------------------------------------------------------------------- Fri May 07 03:16:33 UTC 2021 - wbrown@suse.de - Update to version 20210507: * Assigned RUSTSEC-2021-0064 to cpuid-bool (#905) * Add unmaintained crate advisory for `cpuid-bool` (#904) * Assigned RUSTSEC-2021-0063 to comrak (#903) * Add advisory for another comrak XSS (#902) * aes* crates: add crate names to advisory titles (#901) * Assigned RUSTSEC-2021-0062 to miscreant (#900) * Add unmaintained crate advisory for `miscreant` (#899) * Assigned RUSTSEC-2021-0061 to aes-ctr (#898) * Add unmaintained crate advisory for `aes-ctr` (#897) * Assigned RUSTSEC-2021-0060 to aes-soft (#896) ------------------------------------------------------------------- Wed Apr 28 00:52:16 UTC 2021 - wbrown@suse.de - Update to version 20210428: * Yank advisories for once-again maintained `dirs`/`directories` crates (#876) * Mark patched tiny-http version for 2020-0031 (#875) * Assigned RUSTSEC-2021-0053 to algorithmica (#874) * Report 0163-algorithmica to RustSec * Add std CVE (#869) * Update CVE numbers (#870) * Update advisory to indicate patched versions of stackvector. * Added patch to "fix" vulnerability. (#866) * Assigned RUSTSEC-2021-0051 to outer_cgi, RUSTSEC-2021-0052 to id-map * Add advisory for double-free issues in id-map ------------------------------------------------------------------- Tue Apr 20 00:45:30 UTC 2021 - wbrown@suse.de - Update to version 20210420: * Yank advisories for once-again maintained `dirs`/`directories` crates (#876) * Mark patched tiny-http version for 2020-0031 (#875) * Assigned RUSTSEC-2021-0053 to algorithmica (#874) * Report 0163-algorithmica to RustSec * Add std CVE (#869) * Update CVE numbers (#870) * Update advisory to indicate patched versions of stackvector. * Added patch to "fix" vulnerability. (#866) * Assigned RUSTSEC-2021-0051 to outer_cgi, RUSTSEC-2021-0052 to id-map * Add advisory for double-free issues in id-map ------------------------------------------------------------------- Wed Mar 31 23:17:44 UTC 2021 - wbrown@suse.de - Update to version 20210401: * Assigned RUSTSEC-2021-0050 to reorder * Add advisory for out-of-bounds write and uninitialized memory exposure in reorder * max7301: Mark RUSTSEC-2020-0152 as patched. (#859) * Assigned RUSTSEC-2020-0152 to max7301 * Add advisory for data race in max7301 * Assigned RUSTSEC-2020-0151 to generator * Add advisory for data race in generator (#855) * Assigned RUSTSEC-2020-0150 to disrustor ------------------------------------------------------------------- Wed Mar 17 00:54:18 UTC 2021 - wbrown@suse.de - Update to version 20210317: * Have master-to-main mirror force push (#822) * Fix `main` -> `master` mirroring (#821) * Rename `master` branch to `main` (#820) * Mirror 'main' branch to 'master' (#819) * README.md: fix "Report Vulnerability" button (#818) * Assigned RUSTSEC-2021-0040 to arenavec * Assigned RUSTSEC-2021-0039 to endian_trait * arenavec: update advisory title to clarify issue * Report 0109-arenavec to RustSec ------------------------------------------------------------------- Tue Mar 02 23:56:22 UTC 2021 - wbrown@suse.de - Update to version 20210223: * Assigned RUSTSEC-2021-0032 to byte_struct * Assigned RUSTSEC-2021-0031 to nano_arena * Add advisory for aliasing violation in nano_arena * Add advisory for uninitialized memory drop in byte_struct * Assigned RUSTSEC-2021-0030 to scratchpad * Add advisory for double-free in scratchpad * Revert "Mark RUSTSEC-2020-0146 as unsound (#788)" * Mark RUSTSEC-2020-0146 as unsound (#788) * Heapless soundness fix since 0.6.1 (#791) * Update RUSTSEC-2020-0146.md with list of patched versions (#789) * Assigned RUSTSEC-2021-0029 to truetype * Report uninitialized memory exposure in truetype * Assigned RUSTSEC-2021-0028 to toodee * Add advisory for memory safety issue in toodee's insert_row * Assigned RUSTSEC-2021-0027 to bam * Add advisory for out-of-bounds write in bam * Assigned RUSTSEC-2020-0146 to generic-array * Add an advisory on lifetime extension in generic-array * Assigned RUSTSEC-2020-0145 to heapless * heapless: fix year: 2020, not 2010 * heapless: use-after-free when cloning partially consumed Iterator * Update CVE numbers (#777) ------------------------------------------------------------------- Tue Feb 23 04:40:05 UTC 2021 - William Brown <william.brown@suse.com> - Initial commit of 20210223
