Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2026-02-13 12:46:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1977 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Fri Feb 13 12:46:42 2026 rev:52 rq:1332784 version:20260213
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2026-02-05 18:01:49.511193718 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1977/cargo-audit-advisory-db.changes
2026-02-13 12:46:49.434500675 +0100
@@ -1,0 +2,15 @@
+Fri Feb 13 02:02:55 UTC 2026 - [email protected]
+
+- Update to version 20260213:
+ * Assigned RUSTSEC-2025-0150 to finch-rst, RUSTSEC-2025-0151 to sha-rst,
RUSTSEC-2025-0152 to finch_cli_rust
+ * Add advisories for the second finch attack in December.
+ * Add patched versions to RUSTSEC-2025-0142
+ * Bump actions/cache from 5.0.2 to 5.0.3
+ * Synchronize IDs (2026-02-08)
+ * Assigned RUSTSEC-2025-0149 to below
+ * below: add information about CVE-2025-27591 (#2585)
+ * Assigned RUSTSEC-2026-0010 to polymarket-clients-sdk
+ * Advisory for deleted malicious crate polymarket-clients-sdk
+ * Assigned RUSTSEC-2025-0145 to uniswap-utils, RUSTSEC-2025-0146 to
sha-rust, RUSTSEC-2025-0147 to evm-units, RUSTSEC-2025-0148 to finch-rust
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20260205.tar.xz
New:
----
advisory-db-20260213.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.94WcnY/_old 2026-02-13 12:46:50.374540045 +0100
+++ /var/tmp/diff_new_pack.94WcnY/_new 2026-02-13 12:46:50.374540045 +0100
@@ -18,7 +18,7 @@
Name: cargo-audit-advisory-db
-Version: 20260205
+Version: 20260213
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.94WcnY/_old 2026-02-13 12:46:50.418541888 +0100
+++ /var/tmp/diff_new_pack.94WcnY/_new 2026-02-13 12:46:50.422542056 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20260205</param>
+ <param name="version">20260213</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20260205.tar.xz -> advisory-db-20260213.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260205/.duplicate-id-guard
new/advisory-db-20260213/.duplicate-id-guard
--- old/advisory-db-20260205/.duplicate-id-guard 2026-02-04
15:21:33.000000000 +0100
+++ new/advisory-db-20260213/.duplicate-id-guard 2026-02-12
06:57:23.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-a2cf9b3307409281b03d3357a3593df057dce4c06e3404a00d027b5ab73e87f5 -
+3c498c383b11c095e21c706528f71cb85c3acedb64b1ce26c23d38324a47741e -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/.github/workflows/assign-ids.yml
new/advisory-db-20260213/.github/workflows/assign-ids.yml
--- old/advisory-db-20260205/.github/workflows/assign-ids.yml 2026-02-04
15:21:33.000000000 +0100
+++ new/advisory-db-20260213/.github/workflows/assign-ids.yml 2026-02-12
06:57:23.000000000 +0100
@@ -20,14 +20,14 @@
- name: Cache cargo bin
id: admin-cache
- uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.cargo/bin
- key: rustsec-admin-7ed6bee1571768e528a6631400d3b51f37463b29
+ key: rustsec-admin-fd0658040d06dff9569dd7b2df60439db93403ec
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 7ed6bee1571768e528a6631400d3b51f37463b29
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev fd0658040d06dff9569dd7b2df60439db93403ec
- name: Assign IDs
id: assign
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/.github/workflows/export-osv.yml
new/advisory-db-20260213/.github/workflows/export-osv.yml
--- old/advisory-db-20260205/.github/workflows/export-osv.yml 2026-02-04
15:21:33.000000000 +0100
+++ new/advisory-db-20260213/.github/workflows/export-osv.yml 2026-02-12
06:57:23.000000000 +0100
@@ -17,15 +17,15 @@
ref: osv
persist-credentials: true # persists the token for git push below
- - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
id: admin-cache
with:
path: ~/.cargo/bin
- key: rustsec-admin-7ed6bee1571768e528a6631400d3b51f37463b29
+ key: rustsec-admin-fd0658040d06dff9569dd7b2df60439db93403ec
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 7ed6bee1571768e528a6631400d3b51f37463b29
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev fd0658040d06dff9569dd7b2df60439db93403ec
- run: |
mkdir -p crates
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/.github/workflows/publish-web.yml
new/advisory-db-20260213/.github/workflows/publish-web.yml
--- old/advisory-db-20260205/.github/workflows/publish-web.yml 2026-02-04
15:21:33.000000000 +0100
+++ new/advisory-db-20260213/.github/workflows/publish-web.yml 2026-02-12
06:57:23.000000000 +0100
@@ -17,15 +17,15 @@
ref: gh-pages
persist-credentials: true # persists the token for git push below
- - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
id: admin-cache
with:
path: ~/.cargo/bin
- key: rustsec-admin-7ed6bee1571768e528a6631400d3b51f37463b29
+ key: rustsec-admin-fd0658040d06dff9569dd7b2df60439db93403ec
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 7ed6bee1571768e528a6631400d3b51f37463b29
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev fd0658040d06dff9569dd7b2df60439db93403ec
- run: |
rustsec-admin web .
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260205/.github/workflows/sync-ids.yml
new/advisory-db-20260213/.github/workflows/sync-ids.yml
--- old/advisory-db-20260205/.github/workflows/sync-ids.yml 2026-02-04
15:21:33.000000000 +0100
+++ new/advisory-db-20260213/.github/workflows/sync-ids.yml 2026-02-12
06:57:23.000000000 +0100
@@ -22,14 +22,14 @@
- name: Cache cargo bin
id: admin-cache
- uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.cargo/bin
- key: rustsec-admin-7ed6bee1571768e528a6631400d3b51f37463b29
+ key: rustsec-admin-fd0658040d06dff9569dd7b2df60439db93403ec
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 7ed6bee1571768e528a6631400d3b51f37463b29
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev fd0658040d06dff9569dd7b2df60439db93403ec
- name: Synchronize IDs
id: sync_ids
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260205/.github/workflows/validate.yml
new/advisory-db-20260213/.github/workflows/validate.yml
--- old/advisory-db-20260205/.github/workflows/validate.yml 2026-02-04
15:21:33.000000000 +0100
+++ new/advisory-db-20260213/.github/workflows/validate.yml 2026-02-12
06:57:23.000000000 +0100
@@ -18,14 +18,14 @@
- name: Cache cargo bin
id: admin-cache
- uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.cargo/bin
- key: rustsec-admin-7ed6bee1571768e528a6631400d3b51f37463b29
+ key: rustsec-admin-fd0658040d06dff9569dd7b2df60439db93403ec
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 7ed6bee1571768e528a6631400d3b51f37463b29
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev fd0658040d06dff9569dd7b2df60439db93403ec
- name: Lint advisories
- run: rustsec-admin lint --skip-namecheck rustdecimal,vec-const
+ run: rustsec-admin lint
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/below/RUSTSEC-2025-0149.md
new/advisory-db-20260213/crates/below/RUSTSEC-2025-0149.md
--- old/advisory-db-20260205/crates/below/RUSTSEC-2025-0149.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/below/RUSTSEC-2025-0149.md 2026-02-12
06:57:23.000000000 +0100
@@ -0,0 +1,101 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0149"
+package = "below"
+date = "2025-03-12"
+url = "https://www.openwall.com/lists/oss-security/2025/03/12/1";
+# Valid categories: "code-execution", "crypto-failure", "denial-of-service",
"file-disclosure"
+# "format-injection", "memory-corruption", "memory-exposure",
"privilege-escalation"
+categories = ["privilege-escalation"]
+aliases = ["CVE-2025-27591", "GHSA-9mc5-7qhg-fp3w"]
+cvss = "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+
+[versions]
+patched = [">= 0.9.0"]
+```
+
+# World Writable Directory in /var/log/below Allows Local Privilege Escalation
+
+Below is a tool for recording and displaying system data like
+hardware utilization and cgroup information on Linux.
+
+## Symlink Attack in `/var/log/below/error_root.log`
+
+Below's systemd service runs with full `root` privileges. It attempts to
+create a world-writable directory in `/var/log/below`. Even if the
+directory already exists, the Rust code ensures [1] that it receives
+mode 0777 permissions:
+
+```
+ if perm.mode() & 0o777 != 0o777 {
+ perm.set_mode(0o777);
+ match dir.set_permissions(perm) {
+ Ok(()) => {}
+ Err(e) => {
+ bail!(
+ "Failed to set permissions on {}: {}",
+ path.to_string_lossy(),
+ e
+ );
+ }
+ }
+ }
+```
+
+This logic leads to different outcomes depending on the packaging on Linux
+distributions:
+
+- in openSUSE Tumbleweed the directory was packaged with 01755
+ permissions (below.spec [2] line 73), thus causing the
+ `set_permissions()` call to run, resulting in a directory with mode
+ 0777 during runtime.
+- in Gentoo Linux the directory is created with mode 01755 resulting in
+ the same outcome as on openSUSE Tumbleweed (below.ebuild [3]). Where
+ the 01755 mode is exactly coming from is not fully clear, maybe the
+ `cargo` build process assigns these permissions during installation.
+- in Fedora Linux the directory is packaged with 01777 permissions, thus
+ the `set_permissions()` code will not run, because the `if` condition
+ masks out the sticky bit. The directory stays at mode 01777
+ (rust-below.spec [4]).
+- the Arch Linux AUR package [5] (maybe wrongly) does not pre-create
+ the log directory. Thus the `set_permissions()` code will run and
+ create the directory with mode 0777.
+
+Below creates a log file in `/var/log/below/error_root.log` and assigns
+mode 0666 to it. This (somewhat confusingly) happens via a `log_dir`
+variable [6], which has been changed to point to the `error_root.log`
+file. The 0666 permission assignment to the logfile happens in
+`logging::setup()` [7], also accompanied by a somewhat strange comment
+in the code.
+
+A local unprivileged attacker can stage a symlink attack in this
+location and cause an arbitrary file in the system to obtain 0666
+permissions, likely leading to a full local root exploit, if done right,
+e.g. by pointing the symlink to `/etc/shadow`. Even if the file already
+exists it can be removed and replaced by a symlink, because of the
+world-writable directory permissions. The attack is thus not limited to
+scenarios in which the file has not yet been created by Below.
+
+## Further Issues
+
+Even on Fedora Linux, where `/var/log/below` has "safe" 01777
+permissions, there is a time window during which problems can arise. As
+long as `below.service` has not been started, another local user can
+pre-create `/var/log/below/error_root.log` and e.g. place a FIFO special
+file there. This will pose a local DoS against the below service, since
+it will fail to open the path and thus fail to start.
+
+If `/var/log/below` were to be deleted for any reason, then Below would
+still recreate it using the bad 0777 mode permissions, which can also
+happen on distributions that initially package `/var/log/below` using
+permissions that do not trigger the `set_permissions()` call in Below's
+code.
+
+[1]:
https://github.com/facebookincubator/below/blob/v0.8.1/below/src/main.rs#L379
+[2]:
https://build.opensuse.org/projects/openSUSE:Factory/packages/below/files/below.spec?expand=1&rev=5e78e7f743f87bea8648eeee673c649b
+[3]:
https://github.com/gentoo/gentoo/blob/master/sys-process/below/below-0.8.1-r1.ebuild#L344
+[4]:
https://src.fedoraproject.org/rpms/rust-below/blob/6ae58353b5d12e58462425c20a2aedfbae2e769a/f/rust-below.spec#_108
+[5]: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=below#n34
+[6]:
https://github.com/facebookincubator/below/blob/v0.8.1/below/src/main.rs#L552
+[7]:
https://github.com/facebookincubator/below/blob/v0.8.1/below/src/open_source/logging.rs#L68
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/evm-units/RUSTSEC-2025-0147.md
new/advisory-db-20260213/crates/evm-units/RUSTSEC-2025-0147.md
--- old/advisory-db-20260205/crates/evm-units/RUSTSEC-2025-0147.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/evm-units/RUSTSEC-2025-0147.md
2026-02-12 06:57:23.000000000 +0100
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0147"
+package = "evm-units"
+date = "2025-12-03"
+url =
"https://blog.rust-lang.org/2025/12/03/crates.io-malicious-crates-evm-units-and-uniswap-utils/";
+references =
["https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads";]
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `evm-units` was removed from crates.io for malicious code
+
+It appeared to be attempting to steal cryptocurrency.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/finch-rst/RUSTSEC-2025-0150.md
new/advisory-db-20260213/crates/finch-rst/RUSTSEC-2025-0150.md
--- old/advisory-db-20260205/crates/finch-rst/RUSTSEC-2025-0150.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/finch-rst/RUSTSEC-2025-0150.md
2026-02-12 06:57:23.000000000 +0100
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0150"
+package = "finch-rst"
+date = "2025-12-09"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `finch-rst` was removed from crates.io for malicious code
+
+This attempts to typosquat the existing crate
+[`finch`](https://crates.io/crates/finch) to steal credentials from local
+files.
+
+The malicious crate had 1 version published on 2025-12-08 and had been
+downloaded 21 times. There were no crates depending on this crate on crates.io.
+
+Thanks to Matthias Zepper of [NGI Sweden](https://ngisweden.scilifelab.se/) for
+reporting this to the crates.io team!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/finch-rust/RUSTSEC-2025-0148.md
new/advisory-db-20260213/crates/finch-rust/RUSTSEC-2025-0148.md
--- old/advisory-db-20260205/crates/finch-rust/RUSTSEC-2025-0148.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/finch-rust/RUSTSEC-2025-0148.md
2026-02-12 06:57:23.000000000 +0100
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0148"
+package = "finch-rust"
+date = "2025-12-05"
+url =
"https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/";
+references =
["https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials";]
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `finch-rust` was removed from crates.io for malicious code
+
+It depended on the `sha-rust` crate, which appeared to be attempting to steal
credentials from local files.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/finch_cli_rust/RUSTSEC-2025-0152.md
new/advisory-db-20260213/crates/finch_cli_rust/RUSTSEC-2025-0152.md
--- old/advisory-db-20260205/crates/finch_cli_rust/RUSTSEC-2025-0152.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/finch_cli_rust/RUSTSEC-2025-0152.md
2026-02-12 06:57:23.000000000 +0100
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0152"
+package = "finch_cli_rust"
+date = "2025-12-09"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `finch_cli_rust` was removed from crates.io for malicious code
+
+This attempts to typosquat the existing crate
+[`finch_cli`](https://crates.io/crates/finch_cli) to steal credentials from
+local files.
+
+The malicious crate had 1 version published on 2025-12-08 and had been
+downloaded 18 times. There were no crates depending on this crate on crates.io.
+
+Thanks to Matthias Zepper of [NGI Sweden](https://ngisweden.scilifelab.se/) for
+reporting this to the crates.io team!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/git2/RUSTSEC-2026-0008.md
new/advisory-db-20260213/crates/git2/RUSTSEC-2026-0008.md
--- old/advisory-db-20260205/crates/git2/RUSTSEC-2026-0008.md 2026-02-04
15:21:33.000000000 +0100
+++ new/advisory-db-20260213/crates/git2/RUSTSEC-2026-0008.md 2026-02-12
06:57:23.000000000 +0100
@@ -7,10 +7,12 @@
informational = "unsound"
categories = ["memory-corruption"]
keywords = ["undefined-behavior"]
+aliases = ["GHSA-j39j-6gw9-jw6h"]
[versions]
patched = [">=0.20.4"]
```
+
# Potential undefined behavior when dereferencing Buf struct
if we dereference the Buf struct right after calling new() or default() on Buf
struct, it passes Null Pointer to the unsafe function slice::from_raw_parts.
Based on the safety section documentation of function,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260205/crates/mnl/RUSTSEC-2025-0142.md
new/advisory-db-20260213/crates/mnl/RUSTSEC-2025-0142.md
--- old/advisory-db-20260205/crates/mnl/RUSTSEC-2025-0142.md 2026-02-04
15:21:33.000000000 +0100
+++ new/advisory-db-20260213/crates/mnl/RUSTSEC-2025-0142.md 2026-02-12
06:57:23.000000000 +0100
@@ -8,7 +8,7 @@
aliases = ["GHSA-585q-cm62-757j"]
[versions]
-patched = []
+patched = [">= 0.3.1"]
```
# Segmentation fault and invalid memory read in `mnl::cb_run`
@@ -18,3 +18,7 @@
Passing a crafted byte slice to `mnl::cb_run` can trigger memory violations.
The function does not sufficiently validate the input buffer structure before
processing, leading to out-of-bounds reads.
This vulnerability allows an attacker to cause a Denial of Service
(segmentation fault) or potentially read unmapped memory by providing a
malformed Netlink message.
+
+The underlying issue is a bug in `libmnl` where during validation
`nlh->nlmsg_len` is cast to an `int` and becomes negative if `nlmsg_len` is
greater than `INT_MAX`. This causes the validation to succeed even if the
buffer is too small for the message. This has been fixed in `libmnl` but still
affects version 1.0.5.
+
+The issue in `mnl` was fixed in commit `cd51bdc` by checking the validity of
netlink messages passed to `mnl::cb_run`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/polymarket-clients-sdk/RUSTSEC-2026-0010.md
new/advisory-db-20260213/crates/polymarket-clients-sdk/RUSTSEC-2026-0010.md
--- old/advisory-db-20260205/crates/polymarket-clients-sdk/RUSTSEC-2026-0010.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/polymarket-clients-sdk/RUSTSEC-2026-0010.md
2026-02-12 06:57:23.000000000 +0100
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0010"
+package = "polymarket-clients-sdk"
+date = "2026-02-06"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `polymarket-clients-sdk` was removed from crates.io for malicious code
+
+It appeared to be typosquatting existing crate
+[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk)
(`clients` vs `client`)
+and attempting to steal credentials from local files.
+
+The malicious crate had 6 versions published on 2026-02-05 and had been
downloaded only 59 times.
+There were no crates depending on this crate on crates.io.
+
+Thanks to [Socket.dev](https://socket.dev/) for detecting and reporting this
to the crates.io team!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/sha-rst/RUSTSEC-2025-0151.md
new/advisory-db-20260213/crates/sha-rst/RUSTSEC-2025-0151.md
--- old/advisory-db-20260205/crates/sha-rst/RUSTSEC-2025-0151.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/sha-rst/RUSTSEC-2025-0151.md
2026-02-12 06:57:23.000000000 +0100
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0151"
+package = "sha-rst"
+date = "2025-12-09"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `sha-rst` was removed from crates.io for malicious code
+
+This crate was used as a dependency by `finch_cli_rust` and `finch-rst` and
+contained a malware payload to exfiltrate credentials.
+
+The malicious crate had 1 version published on 2025-12-08 and had been
+downloaded 22 times. Other than the other crates above that were part of the
+attack, no other crates depedended on this crate.
+
+Thanks to Matthias Zepper of [NGI Sweden](https://ngisweden.scilifelab.se/) for
+reporting this to the crates.io team!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/sha-rust/RUSTSEC-2025-0146.md
new/advisory-db-20260213/crates/sha-rust/RUSTSEC-2025-0146.md
--- old/advisory-db-20260205/crates/sha-rust/RUSTSEC-2025-0146.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/sha-rust/RUSTSEC-2025-0146.md
2026-02-12 06:57:23.000000000 +0100
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0146"
+package = "sha-rust"
+date = "2025-12-05"
+url =
"https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/";
+references =
["https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials";]
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `sha-rust` was removed from crates.io for malicious code
+
+It appeared to be attempting to steal credentials from local files.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/time/RUSTSEC-2026-0009.md
new/advisory-db-20260213/crates/time/RUSTSEC-2026-0009.md
--- old/advisory-db-20260205/crates/time/RUSTSEC-2026-0009.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/time/RUSTSEC-2026-0009.md 2026-02-12
06:57:23.000000000 +0100
@@ -0,0 +1,44 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0009"
+package = "time"
+date = "2026-02-05"
+url = "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05";
+categories = ["denial-of-service"]
+cvss = "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+keywords = ["stack", "exhaustion"]
+aliases = ["CVE-2026-25727", "GHSA-r6v5-fh4h-64xc"]
+
+[affected.functions]
+# for all methods: only when `time::format_description::well_known::Rfc2822`
is used as the format
+"time::parsing::Parsed::parse_item" = [">= 0.3.6, < 0.3.47"]
+"time::Date::parse" = [">= 0.3.6, < 0.3.47"]
+"time::Time::parse" = [">= 0.3.6, < 0.3.47"]
+"time::UtcOffset::parse" = [">= 0.3.6, < 0.3.47"]
+"time::PrimitiveDateTime::parse" = [">= 0.3.6, < 0.3.47"]
+"time::OffsetDateTime::parse" = [">= 0.3.6, < 0.3.47"]
+"time::UtcDateTime::parse" = [">= 0.3.38, < 0.3.47"] # type not present until
0.3.38
+
+[versions]
+patched = [">= 0.3.47"]
+unaffected = ["< 0.3.6"]
+```
+
+# Denial of Service via Stack Exhaustion
+
+## Impact
+
+When user-provided input is provided to any type that parses with the RFC 2822
format, a denial of
+service attack via stack exhaustion is possible. The attack relies on formally
deprecated and
+rarely-used features that are part of the RFC 2822 format used in a malicious
manner. Ordinary,
+non-malicious input will never encounter this scenario.
+
+## Patches
+
+A limit to the depth of recursion was added in v0.3.47. From this version, an
error will be returned
+rather than exhausting the stack.
+
+## Workarounds
+
+Limiting the length of user input is the simplest way to avoid stack
exhaustion, as the amount of
+the stack consumed would be at most a factor of the length of the input.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260205/crates/uniswap-utils/RUSTSEC-2025-0145.md
new/advisory-db-20260213/crates/uniswap-utils/RUSTSEC-2025-0145.md
--- old/advisory-db-20260205/crates/uniswap-utils/RUSTSEC-2025-0145.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260213/crates/uniswap-utils/RUSTSEC-2025-0145.md
2026-02-12 06:57:23.000000000 +0100
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0145"
+package = "uniswap-utils"
+date = "2025-12-03"
+url =
"https://blog.rust-lang.org/2025/12/03/crates.io-malicious-crates-evm-units-and-uniswap-utils/";
+references =
["https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads";]
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `uniswap-utils` was removed from crates.io for malicious code
+
+It depended on the `evm-units` crate, which appeared to be attempting to steal
cryptocurrency.
