Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2022-11-02 12:47:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Wed Nov 2 12:47:12 2022 rev:27 rq:1032758 version:20221102
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2022-09-28 17:51:49.555241039 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.2275/cargo-audit-advisory-db.changes
2022-11-02 12:47:59.597827453 +0100
@@ -1,0 +2,15 @@
+Tue Nov 01 22:16:48 UTC 2022 - [email protected]
+
+- Update to version 20221102:
+ * Assigned RUSTSEC-2022-0065 to openssl-src (#1455)
+ * CVE-2022-3786 in openssl (#1453)
+ * Assigned RUSTSEC-2022-0064 to openssl-src (#1454)
+ * CVE-2022-3602 in openssl (#1452)
+ * Assigned RUSTSEC-2022-0063 to linked_list_allocator (#1449)
+ * Add CVE-2022-36086 for linked_list_allocator (#1448)
+ * Assigned RUSTSEC-2022-0062 to matrix-sdk (#1445)
+ * Add advisory for logging of access tokens in matrix-sdk (#1444)
+ * Assigned RUSTSEC-2022-0061 to parity-wasm (#1443)
+ * Add unmaintained `parity-wasm` (#1441)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20220928.tar.xz
New:
----
advisory-db-20221102.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.yuQEYN/_old 2022-11-02 12:48:00.093829971 +0100
+++ /var/tmp/diff_new_pack.yuQEYN/_new 2022-11-02 12:48:00.097829991 +0100
@@ -17,14 +17,13 @@
Name: cargo-audit-advisory-db
-Version: 20220928
+Version: 20221102
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
URL: https://github.com/RustSec/advisory-db
Source0: advisory-db-%{version}.tar.xz
Source1: %{name}-rpmlintrc
-BuildRequires: cargo-packaging
Requires: cargo-audit
ExclusiveArch: %{rust_tier1_arches}
++++++ _service ++++++
--- /var/tmp/diff_new_pack.yuQEYN/_old 2022-11-02 12:48:00.129830154 +0100
+++ /var/tmp/diff_new_pack.yuQEYN/_new 2022-11-02 12:48:00.133830174 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20220928</param>
+ <param name="version">20221102</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20220928.tar.xz -> advisory-db-20221102.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220928/.duplicate-id-guard
new/advisory-db-20221102/.duplicate-id-guard
--- old/advisory-db-20220928/.duplicate-id-guard 2022-09-24
13:52:27.000000000 +0200
+++ new/advisory-db-20221102/.duplicate-id-guard 2022-11-01
18:11:10.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-d41972b4bad0bdc0c390493295dc286e9202606244c0a38d83c51169b93a46bf -
+1550808dc193737c18ba8ca656a087512d904f1a8bd8b64a7a37195f0c887eae -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/badge/RUSTSEC-2022-0057.md
new/advisory-db-20221102/crates/badge/RUSTSEC-2022-0057.md
--- old/advisory-db-20220928/crates/badge/RUSTSEC-2022-0057.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/badge/RUSTSEC-2022-0057.md 2022-11-01
18:11:10.000000000 +0100
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0057"
+package = "badge"
+date = "2022-08-31"
+url =
"https://github.com/rust-lang/docs.rs/issues/1813#issuecomment-1232875809";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+# badge is Unmaintained
+
+The maintainer has adviced this crate is deprecated and will not receive any
maintenance.
+
+The crate depends on the deprecated `rusttype` crate and won't receive updates
+anymore.
+
+## Possible Alternative(s)
+
+ The below list has not been vetted in any way and may or may not contain
alternatives;
+
+ - [badge-maker](https://crates.io/crates/badge-maker)
+ - [badgeland](https://crates.io/crates/badgeland)
+ - [badgen](https://crates.io/crates/badgen)
+ - [badgers](https://crates.io/crates/badgers) (API compatible fork of the
`badge` crate using `ab_glyph` as a replacement for `rusttype`)
+ - [rsbadges](https://crates.io/crates/rsbadges) (used deprecated `rusttype`)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/flatbuffers/RUSTSEC-2021-0122.md
new/advisory-db-20221102/crates/flatbuffers/RUSTSEC-2021-0122.md
--- old/advisory-db-20220928/crates/flatbuffers/RUSTSEC-2021-0122.md
2022-09-24 13:52:27.000000000 +0200
+++ new/advisory-db-20221102/crates/flatbuffers/RUSTSEC-2021-0122.md
2022-11-01 18:11:10.000000000 +0100
@@ -7,7 +7,7 @@
url = "https://github.com/google/flatbuffers/issues/6627";
[versions]
-patched = []
+patched = [">= 22.9.29"]
```
# Generated code can read and write out of bounds in safe code
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/inconceivable/RUSTSEC-2022-0058.md
new/advisory-db-20221102/crates/inconceivable/RUSTSEC-2022-0058.md
--- old/advisory-db-20220928/crates/inconceivable/RUSTSEC-2022-0058.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/inconceivable/RUSTSEC-2022-0058.md
2022-11-01 18:11:10.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0058"
+package = "inconceivable"
+date = "2022-09-28"
+informational = "notice"
+url = "https://crates.io/crates/inconceivable";
+
+[versions]
+patched = []
+```
+
+# Library exclusively intended to inject UB into safe Rust.
+
+Quoting from the crate description:
+
+> This crate is created purely to inject undefined behavior into stable, safe
rust.
+
+Specifically, the `inconceivable!` macro is insta-UB if the `ub_inconceivable`
feature is enabled by *any* reverse dependency.
+The value this adds is questionable, and hides `unsafe` code from naive
analysis.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/linked_list_allocator/RUSTSEC-2022-0063.md
new/advisory-db-20221102/crates/linked_list_allocator/RUSTSEC-2022-0063.md
--- old/advisory-db-20220928/crates/linked_list_allocator/RUSTSEC-2022-0063.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/linked_list_allocator/RUSTSEC-2022-0063.md
2022-11-01 18:11:10.000000000 +0100
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0063"
+package = "linked_list_allocator"
+date = "2022-09-07"
+url = "https://github.com/advisories/GHSA-xg8p-34w2-j49j";
+categories = ["memory-corruption"]
+aliases = ["CVE-2022-36086"]
+cvss = "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+
+[versions]
+patched = [">= 0.10.2"]
+unaffected = []
+```
+
+# Multiple vulnerabilities resulting in out-of-bounds writes
+
+* The heap initialization methods were missing a minimum size check for the
given heap size argument. This could lead to **out-of-bound writes** when a
heap was initialized with a size smaller than `3 * size_of::<usize>` because of
metadata write operations.
+* When calling `Heap::extend` with a size smaller than two `usize`s (e.g., 16
on `x86_64`), the size was erroneously rounded up to the minimum size, which
could result in an **out-of-bounds write**.
+* Calling `Heap::extend` on an empty heap tried to construct a heap starting
at address 0, which is also an **out-of-bounds write**.
+ * One specific way to trigger this accidentally is to call `Heap::new` (or a
similar constructor) with a heap size that is smaller than two `usize`s. This
was treated as an empty heap as well.
+* Calling `Heap::extend` on a heap whose size is not a multiple of the size of
two `usize`s resulted in unaligned writes. It also left the heap in an
unexpected state, which might lead to subsequent issues. We did not find a way
to exploit this undefined behavior yet (apart from DoS on platforms that fault
on unaligned writes).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/matrix-sdk/RUSTSEC-2022-0062.md
new/advisory-db-20221102/crates/matrix-sdk/RUSTSEC-2022-0062.md
--- old/advisory-db-20220928/crates/matrix-sdk/RUSTSEC-2022-0062.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/matrix-sdk/RUSTSEC-2022-0062.md
2022-11-01 18:11:10.000000000 +0100
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0062"
+package = "matrix-sdk"
+date = "2022-10-24"
+url = "https://github.com/matrix-org/matrix-rust-sdk/issues/1110";
+
+[versions]
+patched = [">= 0.6.2"]
+unaffected = ["< 0.6.0"]
+```
+
+# matrix-sdk 0.6.0 logs access tokens
+
+When sending Matrix requests using an affected version of `matrix-sdk` in an
application that
+writes logs using `tracing-subscriber` (in a way that includes fields of
tracing spans such as
+`tracing_subscriber`s default text output from the `fmt` module), these logs
will contain the
+user's access token.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/openssl-src/RUSTSEC-2022-0059.md
new/advisory-db-20221102/crates/openssl-src/RUSTSEC-2022-0059.md
--- old/advisory-db-20220928/crates/openssl-src/RUSTSEC-2022-0059.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/openssl-src/RUSTSEC-2022-0059.md
2022-11-01 18:11:10.000000000 +0100
@@ -0,0 +1,40 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0059"
+package = "openssl-src"
+aliases = ["CVE-2022-3358"]
+categories = ["crypto-failure"]
+date = "2022-10-11"
+url = "https://www.openssl.org/news/secadv/20221011.txt";
+
+[versions]
+patched = [">= 300.0.10"]
+unaffected = ["< 300.0.0"]
+```
+
+# Using a Custom Cipher with `NID_undef` may lead to NULL encryption
+
+OpenSSL supports creating a custom cipher via the legacy
`EVP_CIPHER_meth_new()`
+function and associated function calls. This function was deprecated in OpenSSL
+3.0 and application authors are instead encouraged to use the new provider
+mechanism in order to implement custom ciphers.
+
+OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed
+to the `EVP_EncryptInit_ex2()`, `EVP_DecryptInit_ex2()` and
`EVP_CipherInit_ex2()`
+functions (as well as other similarly named encryption and decryption
+initialisation functions). Instead of using the custom cipher directly it
+incorrectly tries to fetch an equivalent cipher from the available providers.
+An equivalent cipher is found based on the NID passed to
`EVP_CIPHER_meth_new()`.
+This NID is supposed to represent the unique NID for a given cipher. However it
+is possible for an application to incorrectly pass `NID_undef` as this value in
+the call to `EVP_CIPHER_meth_new()`. When `NID_undef` is used in this way the
+OpenSSL encryption/decryption initialisation function will match the NULL
cipher
+as being equivalent and will fetch this from the available providers. This will
+succeed if the default provider has been loaded (or if a third party provider
+has been loaded that offers this cipher). Using the NULL cipher means that the
+plaintext is emitted as the ciphertext.
+
+Applications are only affected by this issue if they call
`EVP_CIPHER_meth_new()`
+using `NID_undef` and subsequently use it in a call to an encryption/decryption
+initialisation function. Applications that only use SSL/TLS are not impacted by
+this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/openssl-src/RUSTSEC-2022-0064.md
new/advisory-db-20221102/crates/openssl-src/RUSTSEC-2022-0064.md
--- old/advisory-db-20220928/crates/openssl-src/RUSTSEC-2022-0064.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/openssl-src/RUSTSEC-2022-0064.md
2022-11-01 18:11:10.000000000 +0100
@@ -0,0 +1,38 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0064"
+package = "openssl-src"
+aliases = ["CVE-2022-3602"]
+categories = ["denial-of-service", "code-execution"]
+date = "2022-11-01"
+url = "https://www.openssl.org/news/secadv/20221101.txt";
+
+[versions]
+patched = [">= 300.0.11"]
+unaffected = ["< 300.0.0"]
+```
+
+# X.509 Email Address 4-byte Buffer Overflow
+
+A buffer overrun can be triggered in X.509 certificate verification,
+specifically in name constraint checking. Note that this occurs
+after certificate chain signature verification and requires either a
+CA to have signed the malicious certificate or for the application to
+continue certificate verification despite failure to construct a path
+to a trusted issuer. An attacker can craft a malicious email address
+to overflow four attacker-controlled bytes on the stack. This buffer
+overflow could result in a crash (causing a denial of service) or
+potentially remote code execution.
+
+Many platforms implement stack overflow protections which would mitigate
+against the risk of remote code execution. The risk may be further
+mitigated based on stack layout for any given platform/compiler.
+
+Pre-announcements of CVE-2022-3602 described this issue as CRITICAL.
+Further analysis based on some of the mitigating factors described above
+have led this to be downgraded to HIGH. Users are still encouraged to
+upgrade to a new version as soon as possible.
+
+In a TLS client, this can be triggered by connecting to a malicious
+server. In a TLS server, this can be triggered if the server requests
+client authentication and a malicious client connects.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/openssl-src/RUSTSEC-2022-0065.md
new/advisory-db-20221102/crates/openssl-src/RUSTSEC-2022-0065.md
--- old/advisory-db-20220928/crates/openssl-src/RUSTSEC-2022-0065.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/openssl-src/RUSTSEC-2022-0065.md
2022-11-01 18:11:10.000000000 +0100
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0065"
+package = "openssl-src"
+aliases = ["CVE-2022-3786"]
+categories = ["denial-of-service"]
+date = "2022-11-01"
+url = "https://www.openssl.org/news/secadv/20221101.txt";
+[versions]
+patched = [">= 300.0.11"]
+unaffected = ["< 300.0.0"]
+```
+
+# X.509 Email Address Variable Length Buffer Overflow
+
+A buffer overrun can be triggered in X.509 certificate verification,
+specifically in name constraint checking. Note that this occurs after
+certificate chain signature verification and requires either a CA to
+have signed a malicious certificate or for an application to continue
+certificate verification despite failure to construct a path to a trusted
+issuer. An attacker can craft a malicious email address in a certificate
+to overflow an arbitrary number of bytes containing the `.` character
+(decimal 46) on the stack. This buffer overflow could result in a crash
+(causing a denial of service).
+
+In a TLS client, this can be triggered by connecting to a malicious
+server. In a TLS server, this can be triggered if the server requests
+client authentication and a malicious client connects.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/orbtk/RUSTSEC-2022-0060.md
new/advisory-db-20221102/crates/orbtk/RUSTSEC-2022-0060.md
--- old/advisory-db-20220928/crates/orbtk/RUSTSEC-2022-0060.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/orbtk/RUSTSEC-2022-0060.md 2022-11-01
18:11:10.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0060"
+package = "orbtk"
+date = "2022-10-13"
+url =
"https://github.com/redox-os/orbtk/blob/eba9e77821551076bbf1d9f7ab44d788150e3446/README.md#orbtk-is-sunsetting";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# orbtk is Unmaintained
+
+The `orbtk` crate is no longer maintained.
+
+Alternatives proposed by the authors:
+
+ * [`iced`](https://crates.io/crates/iced)
+ * [`slint`](https://crates.io/crates/slint)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220928/crates/parity-wasm/RUSTSEC-2022-0061.md
new/advisory-db-20221102/crates/parity-wasm/RUSTSEC-2022-0061.md
--- old/advisory-db-20220928/crates/parity-wasm/RUSTSEC-2022-0061.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20221102/crates/parity-wasm/RUSTSEC-2022-0061.md
2022-11-01 18:11:10.000000000 +0100
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0061"
+package = "parity-wasm"
+date = "2022-10-01"
+url = "https://github.com/paritytech/parity-wasm/pull/334";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# Crate `parity-wasm` deprecated by the author
+
+[This PR](https://github.com/paritytech/parity-wasm/pull/334) explicitly
deprecates `parity-wasm`.
+The author recommends switching to
[wasm-tools](https://github.com/bytecodealliance/wasm-tools).
