Overview

File _patchinfo of Package patchinfo.42662

<patchinfo incident="42662">
  <issue tracker="bnc" id="1257906">VUL-0: CVE-2026-25727: cargo-auditable: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion</issue>
  <issue tracker="cve" id="2026-25727"/>
  <packager>firstyear</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for cargo-auditable</summary>
  <description>This update for cargo-auditable fixes the following issues:

Update to version 0.7.2~0.

Security issues fixed:

- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
  (bsc#1257906).

Other updates and bugfixes:

- Update to version 0.7.2~0:

  * mention cargo-dist in README
  * commit Cargo.lock
  * bump which dev-dependency to 8.0.0
  * bump object to 0.37
  * Upgrade cargo_metadata to 0.23
  * Expand the set of dist platforms in config

- Update to version 0.7.1~0:

  * Out out of unhelpful clippy lint
  * Satisfy clippy
  * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
  * Run apt-get update before trying to install packages
  * run `cargo dist init` on dist 0.30
  * Drop allow-dirty from dist config, should no longer be needed
  * Reorder paragraphs in README
  * Note the maintenance transition for the go extraction library
  * Editing pass on the adopters: scanners
  * clarify Docker support
  * Cargo clippy fix
  * Add Wolfi OS and Chainguard to adopters
  * Update mentions around Anchore tooling
  * README and documentation updates for nightly
  * Bump dependency version in rust-audit-info
  * More work on docs
  * Nicer formatting on format revision documentation
  * Bump versions
  * regenerate JSON schema
  * cargo fmt
  * Document format field
  * Make it more clear that RawVersionInfo is private
  * Add format field to the serialized data
  * cargo clippy fix
  * Add special handling for proc macros to treat them as the build dependencies they are
  * Add a test to ensure proc macros are reported as build dependencies
  * Add a test fixture for a crate with a proc macro dependency
  * parse fully qualified package ID specs from SBOMs
  * select first discovered SBOM file
  * cargo sbom integration
  * Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
  * Don't fail plan workflow due to manually changed release.yml
  * Bump Ubuntu version to hopefully fix release.yml workflow
  * Add test for stripped binary
  * Bump version to 0.6.7
  * Populate changelog
  * README.md: add auditable2cdx, more consistency in text
  * Placate clippy
  * Do not emit -Wl if a bare linker is in use
  * Get rid of a compiler warning
  * Add bare linker detection function
  * drop boilerplate from test that's no longer relevant
  * Add support for recovering rustc codegen options
  * More lenient parsing of rustc arguments
  * More descriptive error message in case rustc is killed abruptly
  * change formatting to fit rustfmt
  * More descriptive error message in case cargo is killed
  * Update REPLACING_CARGO.md to fix #195
  * Clarify osv-scanner support in README
  * Include the command required to view metadata
  * Mention wasm-tools support
  * Switch from broken generic cache action to a Rust-specific one
  * Fill in various fields in auditable2cdx Cargo.toml
  * Include osv-scanner in the list, with a caveat
  * Add link to blint repo to README
  * Mention that blint supports our data
  * Consolidate target definitions
  * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
  * Migrate to a maintained toolchain action
  * Fix author specification
  * Add link to repository to resolverver Cargo.toml
  * Bump resolverver to 0.1.0
  * Add resolverver crate to the tree

- Update to version 0.6.6~0:

  * Note the `object` upgrade in the changelog
  * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
  * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
  * Update dependencies in the lock file
  * Populate changelog
  * apply clippy lint
  * add another --emit parsing test
  * shorter code with cargo fmt
  * Actually fix cargo-c compatibility
  * Attempt to fix cargo-capi incompatibility
  * Refactoring in preparation for fixes
  * Also read the --emit flag to rustc
  * Fill in changelogs
  * Bump versions
  * Drop cfg'd out tests
  * Drop obsolete doc line
  * Move dependency cycle tests from auditable-serde to cargo-auditable crate
  * Remove cargo_metadata from auditable-serde API surface.
  * Apply clippy lint
  * Upgrade miniz_oxide to 0.8.0
  * Insulate our semver from miniz_oxide semver
  * Add support for Rust 2024 edition
  * Update tests
  * More robust OS detection for riscv feature detection
  * bump version
  * update changelog for auditable-extract 0.3.5
  * Fix wasm component auditable data extraction
  * Update blocker description in README.md
  * Add openSUSE to adopters
  * Update list of know adopters
  * Fix detection of `riscv64-linux-android` target features
  * Silence noisy lint
  * Bump version requirement in rust-audit-info
  * Fill in changelogs
  * Bump semver of auditable-info
  * Drop obsolete comment now that wasm is enabled by default
  * Remove dependency on cargo-lock
  * Brag about adoption in the README
  * Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc
  * Also build musl binaries
  * dist: update dist config for future releases
  * dist(cargo-auditable): ignore auditable2cdx for now
  * chore: add cargo-dist
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places