Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2022-03-24 22:58:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1900 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Thu Mar 24 22:58:09 2022 rev:21 rq:964436 version:20220323
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2022-03-11 21:41:26.078078361 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1900/cargo-audit-advisory-db.changes
2022-03-24 23:00:12.456378376 +0100
@@ -1,0 +2,15 @@
+Wed Mar 23 10:54:26 UTC 2022 - [email protected]
+
+- Update to version 20220323:
+ * Assigned RUSTSEC-2022-0015 to pty (#1215)
+ * Add unmaintained advisory for pty (#1213)
+ * Assigned RUSTSEC-2022-0014 to openssl-src (#1211)
+ * Add CVE-2022-0778 for openssl-src (#1210)
+ * Assigned RUSTSEC-2022-0013 to regex (#1208)
+ * add cve-2022-24713 (#1207)
+ * mark RUSTSEC-2021-0019 fixed, add references (#1206)
+ * RUSTSEC-2021-0134: Remove recursive_reference from the list of
alternatives (#1200)
+ * Assigned RUSTSEC-2022-0012 to arrow2 (#1205)
+ * Added advisory for `arrow2::ffi::Ffi_ArrowArray` double free (#1204)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20220311.tar.xz
New:
----
advisory-db-20220323.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.VylnXg/_old 2022-03-24 23:00:12.932378836 +0100
+++ /var/tmp/diff_new_pack.VylnXg/_new 2022-03-24 23:00:12.952378855 +0100
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20220311
+Version: 20220323
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.VylnXg/_old 2022-03-24 23:00:12.988378890 +0100
+++ /var/tmp/diff_new_pack.VylnXg/_new 2022-03-24 23:00:12.996378898 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20220311</param>
+ <param name="version">20220323</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20220311.tar.xz -> advisory-db-20220323.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220311/.duplicate-id-guard
new/advisory-db-20220323/.duplicate-id-guard
--- old/advisory-db-20220311/.duplicate-id-guard 2022-03-08
16:14:30.000000000 +0100
+++ new/advisory-db-20220323/.duplicate-id-guard 2022-03-22
15:52:42.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-f551fc85bdd3f40721d0af2ced95b014fb1dfca6b86634824e8ca8f7fc128cd2 -
+3ebd0dec6b0d10eb52fe3853c7b58d0f9a13d1fc5a84ff64509fda7c9dd4985e -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220311/crates/openssl-src/RUSTSEC-2022-0014.md
new/advisory-db-20220323/crates/openssl-src/RUSTSEC-2022-0014.md
--- old/advisory-db-20220311/crates/openssl-src/RUSTSEC-2022-0014.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220323/crates/openssl-src/RUSTSEC-2022-0014.md
2022-03-22 15:52:42.000000000 +0100
@@ -0,0 +1,41 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0014"
+package = "openssl-src"
+aliases = ["CVE-2022-0778"]
+categories = ["denial-of-service"]
+date = "2022-03-15"
+url = "https://www.openssl.org/news/secadv/20220315.txt";
+
+[versions]
+patched = [">= 111.18, < 300.0", ">= 300.0.5"]
+```
+
+# Infinite loop in `BN_mod_sqrt()` reachable when parsing certificates
+
+The `BN_mod_sqrt()` function, which computes a modular square root, contains
+a bug that can cause it to loop forever for non-prime moduli.
+
+Internally this function is used when parsing certificates that contain
+elliptic curve public keys in compressed form or explicit elliptic curve
+parameters with a base point encoded in compressed form.
+
+It is possible to trigger the infinite loop by crafting a certificate that
+has invalid explicit curve parameters.
+
+Since certificate parsing happens prior to verification of the certificate
+signature, any process that parses an externally supplied certificate may thus
+be subject to a denial of service attack. The infinite loop can also be
+reached when parsing crafted private keys as they can contain explicit
+elliptic curve parameters.
+
+Thus vulnerable situations include:
+
+ - TLS clients consuming server certificates
+ - TLS servers consuming client certificates
+ - Hosting providers taking certificates or private keys from customers
+ - Certificate authorities parsing certification requests from subscribers
+ - Anything else which parses ASN.1 elliptic curve parameters
+
+Also any other applications that use the `BN_mod_sqrt()` where the attacker
+can control the parameter values are vulnerable to this DoS issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220311/crates/pty/RUSTSEC-2022-0015.md
new/advisory-db-20220323/crates/pty/RUSTSEC-2022-0015.md
--- old/advisory-db-20220311/crates/pty/RUSTSEC-2022-0015.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220323/crates/pty/RUSTSEC-2022-0015.md 2022-03-22
15:52:42.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0015"
+package = "pty"
+date = "2022-03-22"
+informational = "unmaintained"
+url = "https://github.com/hibariya/pty-rs/issues/19";
+[versions]
+patched = []
+unaffected = []
+```
+
+# pty is unmaintained
+
+The repository hasn't received any updates since Jun 25, 2017 and the author
is unresponsive.
+
+Maintained alternatives include:
+
+* [`tokio-pty-process`](https://crates.io/crates/tokio-pty-process)
+* [`pty-process`](https://crates.io/crates/pty-process)
