Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2023-10-27 22:28:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.17445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Fri Oct 27 22:28:30 2023 rev:37 rq:1120660 version:20231027
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2023-10-08 12:21:50.113743998 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.17445/cargo-audit-advisory-db.changes
2023-10-27 22:29:01.829356991 +0200
@@ -1,0 +2,15 @@
+Fri Oct 27 03:02:30 UTC 2023 - [email protected]
+
+- Update to version 20231027:
+ * Assigned RUSTSEC-2023-0068 to cocoon (#1810)
+ * cocoon: sequential calls of encryption API result in nonce reuse (<=0.3.3)
(#1805)
+ * Updating information about replacements (#1803)
+ * Assigned RUSTSEC-2023-0067 to fehler (#1801)
+ * fehler is unmaintained (#1800)
+ * Assigned RUSTSEC-2023-0066 to pleaser (#1799)
+ * Document the privilege-escalation vulnerability in pleaser. (#1798)
+ * Update webpki RUSTSEC-2023-0052 advisory. (#1797)
+ * Assigned RUSTSEC-2023-0065 to tungstenite (#1796)
+ * Create advisory for tungstenite DoS (#1795)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20231007.tar.xz
New:
----
advisory-db-20231027.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.ArxNQP/_old 2023-10-27 22:29:02.713389415 +0200
+++ /var/tmp/diff_new_pack.ArxNQP/_new 2023-10-27 22:29:02.713389415 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20231007
+Version: 20231027
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.ArxNQP/_old 2023-10-27 22:29:02.745390588 +0200
+++ /var/tmp/diff_new_pack.ArxNQP/_new 2023-10-27 22:29:02.749390735 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20231007</param>
+ <param name="version">20231027</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20231007.tar.xz -> advisory-db-20231027.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20231007/.duplicate-id-guard
new/advisory-db-20231027/.duplicate-id-guard
--- old/advisory-db-20231007/.duplicate-id-guard 2023-10-03
15:53:18.000000000 +0200
+++ new/advisory-db-20231027/.duplicate-id-guard 2023-10-24
03:38:27.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-36a9b51a48b3404a0625daab077982cb323512602246febf46ad480eee672625 -
+222dcb79d2f0a5d8698976c3b5c7852a0f117dfa2d390cb46677ccb3e7e8705a -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20231007/crates/cocoon/RUSTSEC-2023-0068.md
new/advisory-db-20231027/crates/cocoon/RUSTSEC-2023-0068.md
--- old/advisory-db-20231007/crates/cocoon/RUSTSEC-2023-0068.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20231027/crates/cocoon/RUSTSEC-2023-0068.md 2023-10-24
03:38:27.000000000 +0200
@@ -0,0 +1,72 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0068"
+package = "cocoon"
+date = "2023-10-15"
+url = "https://github.com/fadeevab/cocoon/issues/22";
+categories = ["crypto-failure"]
+cvss = "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
+keywords = ["nonce", "stream-cipher"]
+
+[affected.functions]
+"cocoon::Cocoon::encrypt" = ["<= 0.3.3"]
+"cocoon::Cocoon::dump" = ["<= 0.3.3"]
+"cocoon::Cocoon::wrap" = ["<= 0.3.3"]
+"cocoon::MiniCocoon::encrypt" = ["<= 0.3.3"]
+"cocoon::MiniCocoon::dump" = ["<= 0.3.3"]
+"cocoon::MiniCocoon::wrap" = ["<= 0.3.3"]
+
+[versions]
+patched = [">= 0.4.0"]
+```
+
+# Sequential calls of encryption API (`encrypt`, `wrap`, and `dump`) result in
nonce reuse
+
+**Problem**: Trying to create a new encrypted message with the same cocoon
+object generates the same ciphertext. It mostly affects `MiniCocoon` and
+`Cocoon` objects with custom seeds and RNGs (where `StdRng` is used under
+the hood).
+
+**Note**: The issue does **NOT** affect objects created with **`Cocoon::new`**
+which utilizes `ThreadRng`.
+
+**Cause**: `StdRng` produces the same nonce because `StdRng::clone` resets its
+state.
+
+**Measure**: Make encryption API mutable (`encrypt`, `wrap`, and `dump`).
+
+**Workaround**: Create a new cocoon object with a new **seed** per each
+encryption.
+
+## How to Reproduce
+
+```rust
+let cocoon = MiniCocoon::from_password(b"password", &[1; 32]);
+let mut data1 = "my secret data".to_owned().into_bytes();
+let _ = cocoon.encrypt(&mut data1)?;
+
+let mut data2 = "my secret data".to_owned().into_bytes();
+let _ = cocoon.encrypt(&mut data2)?;
+
+// data1: [23, 217, 251, 151, 179, 62, 85, 15, 253, 92, 192, 112, 200, 52]
+// data2: [23, 217, 251, 151, 179, 62, 85, 15, 253, 92, 192, 112, 200, 52]
+```
+
+## Workaround
+
+For `cocoon <= 0.3.3`, create a new cocoon with a different **seed**
+per each `encrypt`/`wrap`/`dump` call.
+
+```rust
+let cocoon = MiniCocoon::from_password(b"password", &[1; 32]);
+let mut data1 = "my secret data".to_owned().into_bytes();
+let _ = cocoon.encrypt(&mut data1)?;
+
+// Another seed: &[2; 32].
+let cocoon = MiniCocoon::from_password(b"password", &[2; 32]);
+let mut data2 = "my secret data".to_owned().into_bytes();
+let _ = cocoon.encrypt(&mut data2)?;
+
+// data1: [23, 217, 251, 151, 179, 62, 85, 15, 253, 92, 192, 112, 200, 52]
+// data2: [53, 223, 209, 96, 130, 99, 209, 108, 83, 189, 123, 81, 19, 1]
+```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20231007/crates/fehler/RUSTSEC-2023-0067.md
new/advisory-db-20231027/crates/fehler/RUSTSEC-2023-0067.md
--- old/advisory-db-20231007/crates/fehler/RUSTSEC-2023-0067.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20231027/crates/fehler/RUSTSEC-2023-0067.md 2023-10-24
03:38:27.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0067"
+package = "fehler"
+date = "2023-10-12"
+url = "https://github.com/withoutboats/fehler/issues/66";
+informational = "unmaintained"
+
+[versions]
+patched = []
+
+```
+# `fehler` is unmaintained; use `culpa` instead
+
+The [`fehler`](https://crates.io/crates/fehler) crate is no longer maintained.
+Consider using [`culpa`](https://crates.io/crates/culpa) instead.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20231007/crates/owning_ref/RUSTSEC-2022-0040.md
new/advisory-db-20231027/crates/owning_ref/RUSTSEC-2022-0040.md
--- old/advisory-db-20231007/crates/owning_ref/RUSTSEC-2022-0040.md
2023-10-03 15:53:18.000000000 +0200
+++ new/advisory-db-20231027/crates/owning_ref/RUSTSEC-2022-0040.md
2023-10-24 03:38:27.000000000 +0200
@@ -19,4 +19,5 @@
- `OwningRefMut::as_owner` and `OwningRefMut::as_owner_mut` are
[unsound](https://github.com/Kimundi/owning-ref-rs/issues/61) and may result in
a use-after-free.
- The crate [violates Rust's aliasing
rules](https://github.com/Kimundi/owning-ref-rs/issues/49), which may cause
miscompilations on recent compilers that emit the LLVM `noalias` attribute.
-No patched versions are available at this time. While a pull request with some
fixes is outstanding, the maintainer appears to be unresponsive.
+`safer_owning_ref` is a replacement crate which fixes these issues.
+No patched versions of the original crate are available, and the maintainer is
unresponsive.
