Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2022-02-15 23:57:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1956 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Tue Feb 15 23:57:16 2022 rev:19 rq:954420 version:20220215
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2022-01-06 15:50:50.252956571 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1956/cargo-audit-advisory-db.changes
2022-02-15 23:57:35.604264393 +0100
@@ -1,0 +2,15 @@
+Tue Feb 15 00:57:25 UTC 2022 - [email protected]
+
+- Update to version 20220215:
+ * Suggest maintained alternatives for Rental advisory (#1187)
+ * Update RUSTSEC-2022-0009.md (#1186)
+ * Assigned RUSTSEC-2020-0162 to tokio-proto (#1185)
+ * Mark tokio-proto as deprecated (#1184)
+ * Assigned RUSTSEC-2022-0009 to libp2p-core (#1183)
+ * Add entry for libp2p-core vulnerability (#1182)
+ * Add patched version to DashMap advisory (#1181)
+ * Assigned RUSTSEC-2022-0008 to windows (#1178)
+ * Add advisory for windows (#1177)
+ * Assigned RUSTSEC-2022-0007 to qcell (#1172)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20220105.tar.xz
New:
----
advisory-db-20220215.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.5T7p4E/_old 2022-02-15 23:57:36.076265696 +0100
+++ /var/tmp/diff_new_pack.5T7p4E/_new 2022-02-15 23:57:36.080265707 +0100
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20220105
+Version: 20220215
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.5T7p4E/_old 2022-02-15 23:57:36.116265807 +0100
+++ /var/tmp/diff_new_pack.5T7p4E/_new 2022-02-15 23:57:36.120265818 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20220105</param>
+ <param name="version">20220215</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20220105.tar.xz -> advisory-db-20220215.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220105/.duplicate-id-guard
new/advisory-db-20220215/.duplicate-id-guard
--- old/advisory-db-20220105/.duplicate-id-guard 2021-12-27
20:44:42.000000000 +0100
+++ new/advisory-db-20220215/.duplicate-id-guard 2022-02-09
15:34:03.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-1c73b234ccce2c42ef5a2422c20f09804ff06fd326ac338bf1429a31fd5bf4cc -
+5518448e55d2a585c2a6276dba5d12fb0afe464d10790643ed57c0a18c53a126 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220105/README.md
new/advisory-db-20220215/README.md
--- old/advisory-db-20220105/README.md 2021-12-27 20:44:42.000000000 +0100
+++ new/advisory-db-20220215/README.md 2022-02-09 15:34:03.000000000 +0100
@@ -1,7 +1,7 @@
# RustSec Advisory Database
[![Build Status][build-image]][build-link]
-![Maintained: Q2 2021][maintained-image]
+![Maintained: Q1 2022][maintained-image]
[![Project Chat][chat-image]][chat-link]
The RustSec Advisory Database is a repository of security advisories filed
@@ -115,7 +115,7 @@
[build-image]:
https://github.com/rustsec/advisory-db/workflows/Validate/badge.svg
[build-link]: https://github.com/rustsec/advisory-db/actions
-[maintained-image]: https://img.shields.io/maintenance/yes/2021.svg
+[maintained-image]: https://img.shields.io/maintenance/yes/2022.svg
[chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg
[chat-link]:
https://rust-lang.zulipchat.com/#narrow/stream/146229-wg-secure-code/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/ammonia/RUSTSEC-2022-0003.md
new/advisory-db-20220215/crates/ammonia/RUSTSEC-2022-0003.md
--- old/advisory-db-20220105/crates/ammonia/RUSTSEC-2022-0003.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/ammonia/RUSTSEC-2022-0003.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0003"
+package = "ammonia"
+date = "2022-01-19"
+url = "https://github.com/rust-ammonia/ammonia/pull/147";
+categories = ["format-injection"]
+keywords = ["html", "xss"]
+
+[affected]
+functions = { "ammonia::clean_text" = ["<= 3.1.2"] }
+
+[versions]
+patched = [">= 3.1.3"]
+unaffected = ["< 3.0.0"]
+```
+
+# Space bug in `clean_text`
+
+An incorrect mapping from HTML specification to ASCII codes was used.
+Because HTML treats the Form Feed as whitespace, code like this has an
injection bug:
+
+ let html = format!("<div title={}>", clean_text(user_supplied_string));
+
+Applications are not affected if they quote their attributes, or if they don't
use `clean_text` at all.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/array-macro/RUSTSEC-2020-0161.md
new/advisory-db-20220215/crates/array-macro/RUSTSEC-2020-0161.md
--- old/advisory-db-20220105/crates/array-macro/RUSTSEC-2020-0161.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/array-macro/RUSTSEC-2020-0161.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,38 @@
+```toml
+[advisory]
+id = "RUSTSEC-2020-0161"
+package = "array-macro"
+date = "2020-05-07"
+url =
"https://gitlab.com/KonradBorowski/array-macro/-/commit/01940637dd8f3bfeeee3faf9639fa9ae52f19f4d";
+categories = ["memory-corruption"]
+informational = "unsound"
+
+[versions]
+patched = [">= 1.0.5"]
+unaffected = ["< 0.1.2"]
+```
+
+# `array!` macro is unsound in presence of traits that implement methods it
calls internally
+
+Affected versions of this crate called some methods using auto-ref. The
affected code looked like this.
+
+```rust
+let mut arr = $crate::__core::mem::MaybeUninit::uninit();
+let mut vec = $crate::__ArrayVec::<T>::new(arr.as_mut_ptr() as *mut T);
+```
+
+In this case, the problem is that `as_mut_ptr` is a method of `&mut
MaybeUninit`, not `MaybeUninit`. This made it possible for traits to hijack the
method calls in order to cause unsoundness.
+
+```rust
+trait AsMutPtr<T> {
+ fn as_mut_ptr(&self) -> *mut T;
+}
+impl<T> AsMutPtr<T> for std::mem::MaybeUninit<T> {
+ fn as_mut_ptr(&self) -> *mut T {
+ std::ptr::null_mut()
+ }
+}
+array![0; 1];
+```
+
+The flaw was corrected by explicitly referencing variables in macro body in
order to avoid auto-ref.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/dashmap/RUSTSEC-2022-0002.md
new/advisory-db-20220215/crates/dashmap/RUSTSEC-2022-0002.md
--- old/advisory-db-20220105/crates/dashmap/RUSTSEC-2022-0002.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/dashmap/RUSTSEC-2022-0002.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,36 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0002"
+package = "dashmap"
+date = "2022-01-10"
+url = "https://github.com/xacrimon/dashmap/issues/167";
+categories = ["memory-exposure", "memory-corruption"]
+keywords = ["segfault", "use-after-free"]
+
+[affected.functions]
+"dashmap::mapref::multiple::RefMulti::key" = [">= 5.0.0"]
+"dashmap::mapref::multiple::RefMulti::value" = [">= 5.0.0"]
+"dashmap::mapref::multiple::RefMulti::pair" = [">= 5.0.0"]
+"dashmap::mapref::multiple::RefMutMulti::key" = [">= 5.0.0"]
+"dashmap::mapref::multiple::RefMutMulti::pair" = [">= 5.0.0"]
+"dashmap::mapref::multiple::RefMutMulti::pair_mut" = [">= 5.0.0"]
+"dashmap::mapref::one::Ref::key" = [">= 5.0.0"]
+"dashmap::mapref::one::Ref::value" = [">= 5.0.0"]
+"dashmap::mapref::one::Ref::pair" = [">= 5.0.0"]
+"dashmap::mapref::one::RefMut::key" = [">= 5.0.0"]
+"dashmap::mapref::one::RefMut::pair" = [">= 5.0.0"]
+"dashmap::mapref::one::RefMut::pair_mut" = [">= 5.0.0"]
+"dashmap::setref::multiple::RefMulti::key" = [">= 5.0.0"]
+"dashmap::setref::one::Ref::key" = [">= 5.0.0"]
+
+[versions]
+patched = [">= 5.1.0"]
+unaffected = ["< 5.0.0"]
+```
+
+# Unsoundness in `dashmap` references
+
+Reference returned by some methods of `Ref` (and similar types) may outlive
the `Ref` and escape the lock.
+This causes undefined behavior and may result in a segfault.
+
+More information in
[`dashmap#167`](https://github.com/xacrimon/dashmap/issues/167) issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/ftd2xx-embedded-hal/RUSTSEC-2022-0005.md
new/advisory-db-20220215/crates/ftd2xx-embedded-hal/RUSTSEC-2022-0005.md
--- old/advisory-db-20220105/crates/ftd2xx-embedded-hal/RUSTSEC-2022-0005.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/ftd2xx-embedded-hal/RUSTSEC-2022-0005.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0005"
+package = "ftd2xx-embedded-hal"
+date = "2022-01-22"
+informational = "unmaintained"
+url = "https://github.com/newAM/ftd2xx-embedded-hal/pull/40";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# crate has been renamed to `ftdi-embedded-hal`
+
+This crate has been renamed from `ftd2xx-embedded-hal` to `ftdi-embedded-hal`.
+
+The new repository location is:
+
+<https://github.com/ftdi-rs/ftdi-embedded-hal>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/libp2p-core/RUSTSEC-2022-0009.md
new/advisory-db-20220215/crates/libp2p-core/RUSTSEC-2022-0009.md
--- old/advisory-db-20220105/crates/libp2p-core/RUSTSEC-2022-0009.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/libp2p-core/RUSTSEC-2022-0009.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0009"
+package = "libp2p-core"
+date = "2022-02-07"
+categories = ["crypto-failure"]
+
+[affected]
+functions = { "libp2p_core::PeerRecord::from_signed_envelope" = [">=
0.30.0-rc.1"] }
+
+[versions]
+unaffected = ["< 0.30.0-rc.1"]
+patched = ["^ 0.30.2", ">= 0.31.1"]
+```
+
+# Failure to verify the public key of a `SignedEnvelope` against the `PeerId`
in a `PeerRecord`
+
+Affected versions of this crate did not check that the public key the
signature was created with matches the peer ID of the peer record.
+Any combination was considered valid.
+
+This allows an attacker to republish an existing `PeerRecord` with a different
`PeerId`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/lmdb/RUSTSEC-2022-0001.md
new/advisory-db-20220215/crates/lmdb/RUSTSEC-2022-0001.md
--- old/advisory-db-20220105/crates/lmdb/RUSTSEC-2022-0001.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/lmdb/RUSTSEC-2022-0001.md 2022-02-09
15:34:03.000000000 +0100
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0001"
+package = "lmdb"
+date = "2022-01-05"
+url = "https://github.com/danburkert/lmdb-rs";
+informational = "unmaintained"
+[versions]
+patched = []
+```
+
+# lmdb is unmaintained, use lmdb-rkv instead
+
+The lmdb crate hasn't had any updates since August 2018.
+
+Mozilla's [lmdb-rkv](https://github.com/mozilla/lmdb-rs) fork of the crate has
received additional maintenance work beyond that and is the best available
replacement.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/qcell/RUSTSEC-2022-0007.md
new/advisory-db-20220215/crates/qcell/RUSTSEC-2022-0007.md
--- old/advisory-db-20220105/crates/qcell/RUSTSEC-2022-0007.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/qcell/RUSTSEC-2022-0007.md 2022-02-09
15:34:03.000000000 +0100
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0007"
+package = "qcell"
+date = "2022-01-24"
+url = "https://github.com/uazu/qcell/issues/20";
+informational = "unsound"
+keywords = ["unsound"]
+
+[versions]
+patched = [">= 0.4.3"]
+
+```
+
+# A malicious coder can get unsound access to TCell or TLCell memory
+
+This is impossible to do by accident, but by carefully constructing
+marker types to be covariant, a malicious coder can cheat the
+singleton check in `TCellOwner` and `TLCellOwner`, giving unsound
+access to cell memory. This could take the form of getting two
+mutable references to the same memory, or a mutable reference and an
+immutable reference.
+
+The fix is for the crate to internally force the marker type to be
+invariant. This blocks the conversion between covariant types which
+Rust normally allows.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/rental/RUSTSEC-2021-0134.md
new/advisory-db-20220215/crates/rental/RUSTSEC-2021-0134.md
--- old/advisory-db-20220105/crates/rental/RUSTSEC-2021-0134.md 2021-12-27
20:44:42.000000000 +0100
+++ new/advisory-db-20220215/crates/rental/RUSTSEC-2021-0134.md 2022-02-09
15:34:03.000000000 +0100
@@ -13,3 +13,10 @@
# rental is unmaintained, author has moved on
The author encourages users to explore other solutions, or maintain a fork.
+
+Maintained alternatives include:
+
+* [`ouroboros`](https://crates.io/crates/ouroboros)
+* [`recursive_reference`](https://crates.io/crates/recursive_reference)
+* [`fortify`](https://crates.io/crates/fortify)
+* [`escher`](https://crates.io/crates/escher)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/rust-crypto/RUSTSEC-2016-0005.md
new/advisory-db-20220215/crates/rust-crypto/RUSTSEC-2016-0005.md
--- old/advisory-db-20220105/crates/rust-crypto/RUSTSEC-2016-0005.md
2021-12-27 20:44:42.000000000 +0100
+++ new/advisory-db-20220215/crates/rust-crypto/RUSTSEC-2016-0005.md
2022-02-09 15:34:03.000000000 +0100
@@ -46,15 +46,6 @@
- [`secp256k1`]:
- Key agreement: ECDH (secp256k1 only)
- Signature algorithms: ECDSA (secp256k1 only)
-- [`sodiumoxide`]:
- - AEAD algorithms: ChaCha20Poly1305 (IETF version)
- - Digest algorithms: SHA-256, SHA-512
- - HMAC
- - Key agreement: X25519 + BLAKE2b
- - Password hashing: Argon2(i/d), scrypt
- - Public key encryption: NaCl "Box" (X25519 + XSalsa20Poly1305)
- - Signature algorithms: Ed25519
- - Short-input PRF: SipHash24
- [`orion`]:
- AEAD algorithms: ChaCha20Poly1305 (IETF version), XChaCha20Poly1305
- Digest algorithms: SHA-512, BLAKE2b
@@ -90,7 +81,6 @@
[`sha-1`]: https://crates.io/crates/sha-1
[`sha2`]: https://crates.io/crates/sha2
[`sha3`]: https://crates.io/crates/sha3
-[`sodiumoxide`]: https://crates.io/crates/sodiumoxide
[`x25519-dalek`]: https://crates.io/crates/x25519-dalek
[`xsalsa20poly1305`]: https://crates.io/crates/xsalsa20poly1305
[`orion`]: https://crates.io/crates/orion
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/rustc-serialize/RUSTSEC-2022-0004.md
new/advisory-db-20220215/crates/rustc-serialize/RUSTSEC-2022-0004.md
--- old/advisory-db-20220105/crates/rustc-serialize/RUSTSEC-2022-0004.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/rustc-serialize/RUSTSEC-2022-0004.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0004"
+package = "rustc-serialize"
+date = "2022-01-01"
+categories = ["denial-of-service"]
+keywords = ["stack overflow"]
+
+[versions]
+patched = []
+
+[affected]
+functions = { "rustc_serialize::json::Json::from_str" = ["*"] }
+```
+
+# Stack overflow in rustc_serialize when parsing deeply nested JSON
+
+When parsing JSON using `json::Json::from_str`, there is no limit to the depth
of the stack, therefore deeply nested objects can cause a stack overflow, which
aborts the process.
+
+Example code that triggers the vulnerability is
+
+```rust
+fn main() {
+ let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
+}
+```
+
+[serde](https://crates.io/crates/serde) is recommended as a replacement to
rustc_serialize.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/thread_local/RUSTSEC-2022-0006.md
new/advisory-db-20220215/crates/thread_local/RUSTSEC-2022-0006.md
--- old/advisory-db-20220105/crates/thread_local/RUSTSEC-2022-0006.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/thread_local/RUSTSEC-2022-0006.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0006"
+package = "thread_local"
+categories = ["memory-corruption"]
+date = "2022-01-23"
+url = "https://github.com/Amanieu/thread_local-rs/issues/33";
+
+[versions]
+patched = [">= 1.1.4"]
+```
+
+# Data race in `Iter` and `IterMut`
+
+In the affected version of this crate, `{Iter, IterMut}::next` used a weaker
memory ordering when loading values than what was required, exposing a
potential data race
+when iterating over a `ThreadLocal`'s values.
+
+Crates using `Iter::next`, or `IterMut::next` are affected by this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/tokio/RUSTSEC-2021-0124.md
new/advisory-db-20220215/crates/tokio/RUSTSEC-2021-0124.md
--- old/advisory-db-20220105/crates/tokio/RUSTSEC-2021-0124.md 2021-12-27
20:44:42.000000000 +0100
+++ new/advisory-db-20220215/crates/tokio/RUSTSEC-2021-0124.md 2022-02-09
15:34:03.000000000 +0100
@@ -2,6 +2,7 @@
[advisory]
id = "RUSTSEC-2021-0124"
package = "tokio"
+aliases = ["CVE-2021-45710"]
date = "2021-11-16"
url = "https://github.com/tokio-rs/tokio/issues/4225";
categories = ["memory-corruption", "thread-safety"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/tokio-proto/RUSTSEC-2020-0162.md
new/advisory-db-20220215/crates/tokio-proto/RUSTSEC-2020-0162.md
--- old/advisory-db-20220105/crates/tokio-proto/RUSTSEC-2020-0162.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/tokio-proto/RUSTSEC-2020-0162.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2020-0162"
+package = "tokio-proto"
+date = "2020-02-06"
+informational = "unmaintained"
+url =
"https://github.com/tokio-rs/tokio-proto/commit/56c720ea3c74efa8f39e36c24e609628222b16a1";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# `tokio-proto` is deprecated/unmaintained
+
+The [`tokio-proto`](https://crates.io/crates/tokio-proto) crate has been
deprecated, and [its GitHub
repository](https://github.com/tokio-rs/tokio-proto) has been archived.
+Users may be interested in
[`tokio-tower`](https://crates.io/crates/tokio-tower) instead, per
https://github.com/tokio-rs/tokio/issues/118#issuecomment-452969665
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/tower-http/RUSTSEC-2021-0135.md
new/advisory-db-20220215/crates/tower-http/RUSTSEC-2021-0135.md
--- old/advisory-db-20220105/crates/tower-http/RUSTSEC-2021-0135.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/tower-http/RUSTSEC-2021-0135.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0135"
+package = "tower-http"
+date = "2021-01-21"
+url = "https://github.com/tower-rs/tower-http/pull/204";
+categories = ["file-disclosure"]
+keywords = ["directory traversal", "http"]
+
+[affected]
+os = ["windows"]
+
+[versions]
+patched = [">= 0.2.1", ">= 0.1.3, < 0.2.0"]
+```
+
+# Improper validation of Windows paths could lead to directory traversal attack
+
+`tower_http::services::fs::ServeDir` didn't correctly validate Windows paths
+meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed
+and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users
+could potentially read files anywhere on the filesystem.
+
+This only impacts Windows. Linux and other unix likes are not impacted by this.
+
+See [tower-http#204] for more details.
+
+[tower-http#204]: https://github.com/tower-rs/tower-http/pull/204
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220105/crates/windows/RUSTSEC-2022-0008.md
new/advisory-db-20220215/crates/windows/RUSTSEC-2022-0008.md
--- old/advisory-db-20220105/crates/windows/RUSTSEC-2022-0008.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220215/crates/windows/RUSTSEC-2022-0008.md
2022-02-09 15:34:03.000000000 +0100
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0008"
+package = "windows"
+date = "2022-01-02"
+url = "https://github.com/microsoft/windows-rs/issues/1409";
+categories = ["memory-corruption", "thread-safety"]
+keywords = []
+informational = "unsound"
+
+[versions]
+patched = [">= 0.32.0"]
+unaffected = ["< 0.1.2"]
+
+[affected]
+os = ["windows"]
+```
+
+# Delegate functions are missing `Send` bound
+
+Affected versions of this crate did not require event handlers to have `Send`
bound despite there being no guarantee of them being called on any particular
thread, which can potentially lead to data races and undefined behavior.
+
+The flaw was corrected in commit
[afe3252](https://github.com/microsoft/windows-rs/commit/afe32525c22209aa8f632a0f4ad607863b51796a)
by adding `Send` bounds.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220105/rust/std/CVE-2022-21658.md
new/advisory-db-20220215/rust/std/CVE-2022-21658.md
--- old/advisory-db-20220105/rust/std/CVE-2022-21658.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220215/rust/std/CVE-2022-21658.md 2022-02-09
15:34:03.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "CVE-2022-21658"
+package = "std"
+categories = ["file-disclosure"]
+date = "2022-01-16"
+url = "https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html";
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"
+
+[affected]
+[affected.functions]
+"std::fs::remove_dir_all" = ["< 1.58.1"]
+
+[versions]
+patched = [">= 1.58.1"]
+```
+
+# Time-of-check time-of-use race condition can allow attacker to delete files
they do not have access to delete
+
+In the standard library in Rust before 1.58.1, an attacker with unprivileged
access to a system could trick a privileged program using
`std::fs::remove_dir_all` into deleting files they don't have access to delete
by creating a symlink in a directory that would be removed by a
`std::fs::remove_dir_all` call due to a Time-of-check time-of-use race
condition around this function's check for symbolic links. The function should
remove the symbolic links rather than recursively deleting the linked file or
directory.
