commit cargo-audit-advisory-db for openSUSE:Factory

Source-Sync Thu, 26 Feb 2026 09:52:57 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cargo-audit-advisory-db for 
openSUSE:Factory checked in at 2026-02-26 18:52:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
 and      /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.29461 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "cargo-audit-advisory-db"

Thu Feb 26 18:52:04 2026 rev:53 rq:1335185 version:20260226

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
  2026-02-13 12:46:49.434500675 +0100
+++ 
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.29461/cargo-audit-advisory-db.changes
       2026-02-26 18:52:29.671129196 +0100
@@ -1,0 +2,15 @@
+Thu Feb 26 03:49:21 UTC 2026 - [email protected]
+
+- Update to version 20260226:
+  * Assigned RUSTSEC-2026-0023 to libcrux-ecdh, RUSTSEC-2026-0024 to 
libcrux-psq, RUSTSEC-2026-0025 to libcrux-psq, RUSTSEC-2026-0026 to 
libcrux-ed25519
+  * Add advisory for `libcrux-ecdh`
+  * Add advisory for `libcrux-ed25519`
+  * Add advisory for `libcrux-psq`
+  * Add advisory for `libcrux-psq`
+  * Assigned RUSTSEC-2026-0020 to wasmtime, RUSTSEC-2026-0021 to wasmtime, 
RUSTSEC-2026-0022 to wasmtime (#2676)
+  * Add advisories just published for Wasmtime
+  * Assigned RUSTSEC-2026-0019 to tracing-check (#2674)
+  * Add tracing-check advisory. (#2673)
+  * Assigned RUSTSEC-2026-0018 to rpc-check
+
+-------------------------------------------------------------------

Old:
----
  advisory-db-20260213.tar.xz

New:
----
  advisory-db-20260226.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.nmZkIo/_old  2026-02-26 18:52:32.083229602 +0100
+++ /var/tmp/diff_new_pack.nmZkIo/_new  2026-02-26 18:52:32.087229769 +0100
@@ -18,7 +18,7 @@
 
 
 Name:           cargo-audit-advisory-db
-Version:        20260213
+Version:        20260226
 Release:        0
 Summary:        A database of known security issues for Rust depedencies
 License:        CC0-1.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.nmZkIo/_old  2026-02-26 18:52:32.363241258 +0100
+++ /var/tmp/diff_new_pack.nmZkIo/_new  2026-02-26 18:52:32.399242756 +0100
@@ -2,7 +2,7 @@
   <service mode="disabled" name="obs_scm">
     <param name="url">https://github.com/RustSec/advisory-db.git</param>
     <param name="scm">git</param>
-    <param name="version">20260213</param>
+    <param name="version">20260226</param>
     <param name="revision">main</param>
     <param name="changesgenerate">enable</param>
     <param name="changesauthor">[email protected]</param>

++++++ advisory-db-20260213.tar.xz -> advisory-db-20260226.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20260213/.duplicate-id-guard 
new/advisory-db-20260226/.duplicate-id-guard
--- old/advisory-db-20260213/.duplicate-id-guard        2026-02-12 
06:57:23.000000000 +0100
+++ new/advisory-db-20260226/.duplicate-id-guard        2026-02-25 
18:22:43.000000000 +0100
@@ -1,3 +1,3 @@
 This file causes merge conflicts if two ID assignment jobs run concurrently.
 This prevents duplicate ID assignment due to a race between those jobs.
-3c498c383b11c095e21c706528f71cb85c3acedb64b1ce26c23d38324a47741e  -
+9027304bcca182148decb8fd5d87d1e7c8738b3386ee60de2eb840362740b975  -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/clob-sdk/RUSTSEC-2026-0017.md 
new/advisory-db-20260226/crates/clob-sdk/RUSTSEC-2026-0017.md
--- old/advisory-db-20260213/crates/clob-sdk/RUSTSEC-2026-0017.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/clob-sdk/RUSTSEC-2026-0017.md       
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0017"
+package = "clob-sdk"
+date = "2026-02-20"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `clob-sdk` was removed from crates.io for malicious code
+
+This is part of an ongoing campaign to attempt to typosquat crates in the
+[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk)
+ecosystem to exfiltrate user credentials.
+
+The malicious crate had 1 version published on 2026-02-20 approximately 4 hours
+before removal and had no evidence of actual downloads. There were no crates
+depending on this crate on crates.io.
+
+The crates.io team advises anyone developing with Polymarket to review
+dependencies carefully. We are investigating ways to mitigate this attacker who
+appears to be very motivated to steal Polymarket credentials.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/evm-units/RUSTSEC-2025-0147.md 
new/advisory-db-20260226/crates/evm-units/RUSTSEC-2025-0147.md
--- old/advisory-db-20260213/crates/evm-units/RUSTSEC-2025-0147.md      
2026-02-12 06:57:23.000000000 +0100
+++ new/advisory-db-20260226/crates/evm-units/RUSTSEC-2025-0147.md      
2026-02-25 18:22:43.000000000 +0100
@@ -6,6 +6,7 @@
 url = 
"https://blog.rust-lang.org/2025/12/03/crates.io-malicious-crates-evm-units-and-uniswap-utils/";
 references = 
["https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads";]
 expect-deleted = true
+aliases = ["GHSA-6662-54xr-8423"]
 
 [versions]
 patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/finch-rst/RUSTSEC-2025-0150.md 
new/advisory-db-20260226/crates/finch-rst/RUSTSEC-2025-0150.md
--- old/advisory-db-20260213/crates/finch-rst/RUSTSEC-2025-0150.md      
2026-02-12 06:57:23.000000000 +0100
+++ new/advisory-db-20260226/crates/finch-rst/RUSTSEC-2025-0150.md      
2026-02-25 18:22:43.000000000 +0100
@@ -4,6 +4,7 @@
 package = "finch-rst"
 date = "2025-12-09"
 expect-deleted = true
+aliases = ["GHSA-xp79-9mxw-878j"]
 
 [versions]
 patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/finch-rust/RUSTSEC-2025-0148.md 
new/advisory-db-20260226/crates/finch-rust/RUSTSEC-2025-0148.md
--- old/advisory-db-20260213/crates/finch-rust/RUSTSEC-2025-0148.md     
2026-02-12 06:57:23.000000000 +0100
+++ new/advisory-db-20260226/crates/finch-rust/RUSTSEC-2025-0148.md     
2026-02-25 18:22:43.000000000 +0100
@@ -6,6 +6,7 @@
 url = 
"https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/";
 references = 
["https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials";]
 expect-deleted = true
+aliases = ["GHSA-f8h5-x737-x4xr"]
 
 [versions]
 patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/finch_cli_rust/RUSTSEC-2025-0152.md 
new/advisory-db-20260226/crates/finch_cli_rust/RUSTSEC-2025-0152.md
--- old/advisory-db-20260213/crates/finch_cli_rust/RUSTSEC-2025-0152.md 
2026-02-12 06:57:23.000000000 +0100
+++ new/advisory-db-20260226/crates/finch_cli_rust/RUSTSEC-2025-0152.md 
2026-02-25 18:22:43.000000000 +0100
@@ -4,6 +4,7 @@
 package = "finch_cli_rust"
 date = "2025-12-09"
 expect-deleted = true
+aliases = ["GHSA-6v2j-vr4h-f632"]
 
 [versions]
 patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/hexchat/RUSTSEC-2025-0153.md 
new/advisory-db-20260226/crates/hexchat/RUSTSEC-2025-0153.md
--- old/advisory-db-20260213/crates/hexchat/RUSTSEC-2025-0153.md        
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/hexchat/RUSTSEC-2025-0153.md        
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0153"
+package = "hexchat"
+date = "2025-11-17"
+url = "https://github.com/pie-flavor/hexchat-rs/issues/3";
+categories = ["memory-corruption", "memory-exposure"]
+keywords = ["memory-safety"]
+informational = "unsound"
+
+[versions]
+patched = []
+```
+
+# hexchat crate is unsound and unmaintained
+
+All versions of this crate have function `deregister_command` which can result 
in use after free.
+This is unsound.
+
+In addition, all versions since 0.3.0 have "safe" macros, which are documented 
as unsafe to use in threads.
+
+In addition, the `hexchat` crate is no longer actively maintained.  If you 
rely on this crate, consider switching
+to an alternative.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/keccak/RUSTSEC-2026-0012.md 
new/advisory-db-20260226/crates/keccak/RUSTSEC-2026-0012.md
--- old/advisory-db-20260213/crates/keccak/RUSTSEC-2026-0012.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/keccak/RUSTSEC-2026-0012.md 2026-02-25 
18:22:43.000000000 +0100
@@ -0,0 +1,32 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0012"
+package = "keccak"
+date = "2026-02-12"
+url = "https://github.com/RustCrypto/sponges/pull/101";
+informational = "unsound"
+categories = ["crypto-failure"]
+aliases = ["GHSA-3288-p39f-rqpv"]
+license = "CC0-1.0"
+
+[versions]
+patched = [">= 0.1.6"]
+```
+
+# Unsoundness in opt-in ARMv8 assembly backend for `keccak`
+
+### Summary
+
+The `asm!` block enabled by the off-by-default `asm` feature, when enabled on 
ARMv8 targets, misspecified the operand
+type for all of its operands, using `in` for pointers and values which were 
subsequently mutated by operations performed
+within the assembly block.
+
+### Impact
+
+It's unclear what practical impact, if any, this actually had. Incorrect 
operand types are technically undefined
+behavior, however changing them had no actual impact on the generated assembly 
for these targets. The possibility still
+exists that it may lead to potential memory safety or other issues on 
hypothetical future versions of rustc.
+
+### Mitigation
+
+The operand types were changed from `in` to `inout`, and the impacted versions 
of the `keccak` crate were yanked.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/libcrux-ecdh/RUSTSEC-2026-0023.md 
new/advisory-db-20260226/crates/libcrux-ecdh/RUSTSEC-2026-0023.md
--- old/advisory-db-20260213/crates/libcrux-ecdh/RUSTSEC-2026-0023.md   
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/libcrux-ecdh/RUSTSEC-2026-0023.md   
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0023"
+package = "libcrux-ecdh"
+date = "2026-01-26"
+aliases = ["GHSA-435g-fcv3-8j26"]
+url = "https://github.com/cryspen/libcrux/pull/1301";
+cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
+
+[affected.functions]
+"libcrux_ecdh::validate_scalar" = [ "<= 0.0.5" ]
+
+[versions]
+patched = [">= 0.0.6"]
+```
+
+# X25519 secret validation did not check buffer length or clamping
+
+The latest releases of the libcrux-ecdh crate contains the following
+bug-fix:
+
+[#1301](https://github.com/cryspen/libcrux/pull/1301): Check length
+and clamping in X25519 secret validation. This is a breaking change
+since errors are now raised on unclamped X25519 secrets or inputs of
+the wrong length
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/libcrux-ed25519/RUSTSEC-2026-0026.md 
new/advisory-db-20260226/crates/libcrux-ed25519/RUSTSEC-2026-0026.md
--- old/advisory-db-20260213/crates/libcrux-ed25519/RUSTSEC-2026-0026.md        
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/libcrux-ed25519/RUSTSEC-2026-0026.md        
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0026"
+package = "libcrux-ed25519"
+date = "2026-02-05"
+aliases = ["GHSA-435g-fcv3-8j26"]
+url = "https://github.com/cryspen/libcrux/pull/1320";
+cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
+
+[affected.functions]
+"libcrux_ed25519::generate_key_pair" = [ "<= 0.0.5" ]
+
+[versions]
+patched = [">= 0.0.6"]
+```
+
+# Unnecessary clamping of seed reduces seed entropy to 251 bits
+
+The latest releases of the libcrux-ed25519 crate contains the
+following bug-fix:
+
+[#1320](https://github.com/cryspen/libcrux/pull/1320): Remove
+duplicated clamping step during key generation
+
+The issue fixed in
+[#1320](https://github.com/cryspen/libcrux/pull/1320) was first
+reported by Nadim Kobeissi.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/libcrux-psq/RUSTSEC-2026-0024.md 
new/advisory-db-20260226/crates/libcrux-psq/RUSTSEC-2026-0024.md
--- old/advisory-db-20260213/crates/libcrux-psq/RUSTSEC-2026-0024.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/libcrux-psq/RUSTSEC-2026-0024.md    
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0024"
+package = "libcrux-psq"
+date = "2026-01-26"
+aliases = ["GHSA-435g-fcv3-8j26"]
+url = "https://github.com/cryspen/libcrux/pull/1301";
+cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
+
+[versions]
+patched = [">= 0.0.7"]
+```
+
+# Incorrect X25519 clamping check rejects all secrets on import
+
+The latest releases of the libcrux-psq crate contains the following
+bug-fix:
+
+[#1301](https://github.com/cryspen/libcrux/pull/1301): Fix broken
+clamping check for imported X25519 secret keys
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/libcrux-psq/RUSTSEC-2026-0025.md 
new/advisory-db-20260226/crates/libcrux-psq/RUSTSEC-2026-0025.md
--- old/advisory-db-20260213/crates/libcrux-psq/RUSTSEC-2026-0025.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/libcrux-psq/RUSTSEC-2026-0025.md    
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0025"
+package = "libcrux-psq"
+date = "2026-02-08"
+aliases = ["GHSA-435g-fcv3-8j26"]
+url = "https://github.com/cryspen/libcrux/pull/1319";
+cvss = "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+
+[affected.functions]
+"libcrux_psq::Channel::read_message" = [ "<= 0.0.6" ]
+
+[versions]
+patched = [">= 0.0.7"]
+```
+
+# Panic in `libcrux-psq` on decryption of malformed AES-GCM ciphertext
+
+The latest releases of the libcrux-psq crate contains the following
+bug-fix:
+
+[#1319](https://github.com/cryspen/libcrux/pull/1319): Propagate
+AEADError instead of panicking
+
+The issue fixed in
+[#1319](https://github.com/cryspen/libcrux/pull/1319) was first
+reported by Nadim Kobeissi.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/polymarket-client-sdks/RUSTSEC-2026-0011.md 
new/advisory-db-20260226/crates/polymarket-client-sdks/RUSTSEC-2026-0011.md
--- old/advisory-db-20260213/crates/polymarket-client-sdks/RUSTSEC-2026-0011.md 
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/polymarket-client-sdks/RUSTSEC-2026-0011.md 
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0011"
+package = "polymarket-client-sdks"
+date = "2026-02-13"
+expect-deleted = true
+aliases = ["GHSA-p5vf-5754-x7p3"]
+
+[versions]
+patched = []
+```
+
+# `polymarket-client-sdks` was removed from crates.io for malicious code
+
+It appeared to be typosquatting existing crate
+[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk) 
(`sdks` vs `sdk`)
+and attempting to steal credentials from local files.
+
+The malicious crate had 1 version published on 2026-02-09 and had been 
downloaded only 33 times.
+There were no crates depending on this crate on crates.io.
+
+Thanks to Roland Peelen for finding and reporting this to the crates.io team!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/polymarket-clients-sdk/RUSTSEC-2026-0010.md 
new/advisory-db-20260226/crates/polymarket-clients-sdk/RUSTSEC-2026-0010.md
--- old/advisory-db-20260213/crates/polymarket-clients-sdk/RUSTSEC-2026-0010.md 
2026-02-12 06:57:23.000000000 +0100
+++ new/advisory-db-20260226/crates/polymarket-clients-sdk/RUSTSEC-2026-0010.md 
2026-02-25 18:22:43.000000000 +0100
@@ -4,6 +4,7 @@
 package = "polymarket-clients-sdk"
 date = "2026-02-06"
 expect-deleted = true
+aliases = ["GHSA-382q-fpqh-29f7"]
 
 [versions]
 patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/polymarkets-client-sdk/RUSTSEC-2026-0015.md 
new/advisory-db-20260226/crates/polymarkets-client-sdk/RUSTSEC-2026-0015.md
--- old/advisory-db-20260213/crates/polymarkets-client-sdk/RUSTSEC-2026-0015.md 
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/polymarkets-client-sdk/RUSTSEC-2026-0015.md 
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0015"
+package = "polymarkets-client-sdk"
+date = "2026-02-19"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `polymarkets-client-sdk` was removed from crates.io for malicious code
+
+It appeared to be typosquatting existing crate
+[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk) 
(`polymarkets` vs
+`polymarket`) and attempting to steal credentials from local files.
+
+The malicious crate had 1 version published on 2026-02-19 an hour before 
removal and hadn't been
+downloaded. There were no crates depending on this crate on crates.io.
+
+Thanks to Carol Nichols, who is thanking herself for spotting this in the 
docs.rs build queue and
+removing it quickly!
+
+The crates.io team advises anyone developing with Polymarket to review 
dependencies carefully. We
+are investigating ways to mitigate this attacker who appears to be very 
motivated to steal
+Polymarket credentials.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/polymarkets-rs-clob-client/RUSTSEC-2026-0016.md 
new/advisory-db-20260226/crates/polymarkets-rs-clob-client/RUSTSEC-2026-0016.md
--- 
old/advisory-db-20260213/crates/polymarkets-rs-clob-client/RUSTSEC-2026-0016.md 
    1970-01-01 01:00:00.000000000 +0100
+++ 
new/advisory-db-20260226/crates/polymarkets-rs-clob-client/RUSTSEC-2026-0016.md 
    2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0016"
+package = "polymarkets-rs-clob-client"
+date = "2026-02-20"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `polymarkets-rs-clob-client` was removed from crates.io for malicious code
+
+This is part of an ongoing campaign to attempt to typosquat crates in the
+[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk)
+ecosystem to exfiltrate user credentials.
+
+The malicious crate had 1 version published on 2026-02-19 approximately 20
+hours before removal and had no evidence of actual downloads. There were no
+crates depending on this crate on crates.io.
+
+Thanks to Adam Harvey at the Rust Foundation, who is awkwardly thanking himself
+in this instance.
+
+The crates.io team advises anyone developing with Polymarket to review
+dependencies carefully. We are investigating ways to mitigate this attacker who
+appears to be very motivated to steal Polymarket credentials.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/pyo3/RUSTSEC-2026-0013.md 
new/advisory-db-20260226/crates/pyo3/RUSTSEC-2026-0013.md
--- old/advisory-db-20260213/crates/pyo3/RUSTSEC-2026-0013.md   1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/pyo3/RUSTSEC-2026-0013.md   2026-02-25 
18:22:43.000000000 +0100
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0013"
+package = "pyo3"
+date = "2026-02-18"
+url = "https://github.com/PyO3/pyo3/pull/5807#issuecomment-3913251784";
+categories = ["memory-corruption"]
+keywords = ["memory-corruption"]
+aliases = ["GHSA-47qc-857f-7w7f"]
+
+
+[versions]
+patched = [">= 0.28.2"]
+unaffected = ["< 0.28.0"]
+```
+
+# Type confusion when accessing data from sublasses of subclasses of native 
types with `abi3` feature targeting Python 3.12 and up
+
+PyO3 0.28.1 added support for `#[pyclass(extends=PyList)] struct NativeSub` 
(and other native types) when targeting Python 3.12 and up with the `abi3` 
feature.
+
+It was discovered that subclasses of such classes would use the type of the 
subclass when attempting to access to data of `NativeSub` contained within 
Python objects, amounting to memory corruption.
+
+PyO3 0.28.2 fixed the issue by using the type of (e.g.) `NativeSub` correctly.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/rpc-check/RUSTSEC-2026-0014.md 
new/advisory-db-20260226/crates/rpc-check/RUSTSEC-2026-0014.md
--- old/advisory-db-20260213/crates/rpc-check/RUSTSEC-2026-0014.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/rpc-check/RUSTSEC-2026-0014.md      
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0014"
+package = "rpc-check"
+date = "2026-02-19"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `rpc-check` was removed from crates.io for malicious code
+
+It was attempting to steal credentials from the `POLYMARKET_PRIVATE_KEY` 
environment variable.
+
+The malicious crate had 3 versions published on 2026-02-15 and had been 
downloaded only 155 times.
+There were no crates depending on this crate on crates.io.
+
+Thanks to Sisong Li for finding and reporting this to the crates.io team!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/rpc-check/RUSTSEC-2026-0018.md 
new/advisory-db-20260226/crates/rpc-check/RUSTSEC-2026-0018.md
--- old/advisory-db-20260213/crates/rpc-check/RUSTSEC-2026-0018.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/rpc-check/RUSTSEC-2026-0018.md      
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0018"
+package = "rpc-check"
+date = "2026-02-24"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `rpc-check` was removed from crates.io for malicious code
+
+This is part of an ongoing campaign to attempt to typosquat crates in the
+[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk)
+ecosystem to exfiltrate user credentials.
+
+The malicious crate had 6 versions published from 2026-02-20 onwards and had no
+evidence of actual usage. There were no crates depending on this crate on
+crates.io.
+
+Thanks to Eren for finding and reporting this to the Rust security response
+working group, and to Emily Albini for co-ordinating with the crates.io team.
+
+The crates.io team advises anyone developing with Polymarket to review
+dependencies carefully. We are investigating ways to mitigate this attacker who
+appears to be very motivated to steal Polymarket credentials.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/sha-rst/RUSTSEC-2025-0151.md 
new/advisory-db-20260226/crates/sha-rst/RUSTSEC-2025-0151.md
--- old/advisory-db-20260213/crates/sha-rst/RUSTSEC-2025-0151.md        
2026-02-12 06:57:23.000000000 +0100
+++ new/advisory-db-20260226/crates/sha-rst/RUSTSEC-2025-0151.md        
2026-02-25 18:22:43.000000000 +0100
@@ -4,6 +4,7 @@
 package = "sha-rst"
 date = "2025-12-09"
 expect-deleted = true
+aliases = ["GHSA-vgr2-r5hm-f6gf"]
 
 [versions]
 patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/sha-rust/RUSTSEC-2025-0146.md 
new/advisory-db-20260226/crates/sha-rust/RUSTSEC-2025-0146.md
--- old/advisory-db-20260213/crates/sha-rust/RUSTSEC-2025-0146.md       
2026-02-12 06:57:23.000000000 +0100
+++ new/advisory-db-20260226/crates/sha-rust/RUSTSEC-2025-0146.md       
2026-02-25 18:22:43.000000000 +0100
@@ -6,6 +6,7 @@
 url = 
"https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/";
 references = 
["https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials";]
 expect-deleted = true
+aliases = ["GHSA-3mmg-7c2q-8938"]
 
 [versions]
 patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/tracing-check/RUSTSEC-2026-0019.md 
new/advisory-db-20260226/crates/tracing-check/RUSTSEC-2026-0019.md
--- old/advisory-db-20260213/crates/tracing-check/RUSTSEC-2026-0019.md  
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/tracing-check/RUSTSEC-2026-0019.md  
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0019"
+package = "tracing-check"
+date = "2026-02-24"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `tracing-check` was removed from crates.io for malicious code
+
+This is part of an ongoing campaign to attempt to typosquat crates in the
+[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk)
+ecosystem to exfiltrate user credentials.
+
+The malicious crate had 1 version published on 2026-02-24 approximately 4 hours
+before removal and had no evidence of actual downloads. There were no crates
+depending on this crate on crates.io.
+
+The crates.io team advises anyone developing with Polymarket to review
+dependencies carefully. We are investigating ways to mitigate this attacker who
+appears to be very motivated to steal Polymarket credentials.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/uniswap-utils/RUSTSEC-2025-0145.md 
new/advisory-db-20260226/crates/uniswap-utils/RUSTSEC-2025-0145.md
--- old/advisory-db-20260213/crates/uniswap-utils/RUSTSEC-2025-0145.md  
2026-02-12 06:57:23.000000000 +0100
+++ new/advisory-db-20260226/crates/uniswap-utils/RUSTSEC-2025-0145.md  
2026-02-25 18:22:43.000000000 +0100
@@ -6,6 +6,7 @@
 url = 
"https://blog.rust-lang.org/2025/12/03/crates.io-malicious-crates-evm-units-and-uniswap-utils/";
 references = 
["https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads";]
 expect-deleted = true
+aliases = ["GHSA-x468-phr8-h3p3"]
 
 [versions]
 patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/wasmtime/RUSTSEC-2026-0020.md 
new/advisory-db-20260226/crates/wasmtime/RUSTSEC-2026-0020.md
--- old/advisory-db-20260213/crates/wasmtime/RUSTSEC-2026-0020.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/wasmtime/RUSTSEC-2026-0020.md       
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0020"
+package = "wasmtime"
+date = "2026-02-24"
+url = 
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w";
+categories = []
+keywords = []
+aliases = ["CVE-2026-27204", "GHSA-852m-cvvp-9p4w"]
+license = "CC0-1.0"
+cvss = "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+
+[versions]
+patched = [
+    ">= 24.0.6, < 25.0.0",
+    ">= 36.0.6, < 37.0.0",
+    ">= 40.0.4, < 41.0.0",
+    ">= 41.0.4",
+]
+unaffected = []
+```
+
+# Guest-controlled resource exhaustion in WASI implementations
+
+This is an entry in the RustSec database for the Wasmtime security advisory
+located at
+https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w
+For more information see the GitHub-hosted security advisory.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/wasmtime/RUSTSEC-2026-0021.md 
new/advisory-db-20260226/crates/wasmtime/RUSTSEC-2026-0021.md
--- old/advisory-db-20260213/crates/wasmtime/RUSTSEC-2026-0021.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/wasmtime/RUSTSEC-2026-0021.md       
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0021"
+package = "wasmtime"
+date = "2026-02-24"
+url = 
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h";
+categories = []
+keywords = []
+aliases = ["CVE-2026-27572", "GHSA-243v-98vx-264h"]
+license = "CC0-1.0"
+cvss = "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+
+[versions]
+patched = [
+    ">= 24.0.6, < 25.0.0",
+    ">= 36.0.6, < 37.0.0",
+    ">= 40.0.4, < 41.0.0",
+    ">= 41.0.4",
+]
+unaffected = []
+```
+
+# Panic adding excessive fields to a `wasi:http/types.fields` instance
+
+This is an entry in the RustSec database for the Wasmtime security advisory
+located at
+https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h
+For more information see the GitHub-hosted security advisory.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260213/crates/wasmtime/RUSTSEC-2026-0022.md 
new/advisory-db-20260226/crates/wasmtime/RUSTSEC-2026-0022.md
--- old/advisory-db-20260213/crates/wasmtime/RUSTSEC-2026-0022.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260226/crates/wasmtime/RUSTSEC-2026-0022.md       
2026-02-25 18:22:43.000000000 +0100
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0022"
+package = "wasmtime"
+date = "2026-02-24"
+url = 
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94";
+categories = []
+keywords = []
+aliases = ["CVE-2026-27195", "GHSA-xjhv-v822-pf94"]
+license = "CC0-1.0"
+cvss = "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+
+[versions]
+patched = [
+    ">= 40.0.4, < 41.0.0",
+    ">= 41.0.4",
+]
+unaffected = ["< 39.0.0"]
+```
+
+# Panic when dropping a `[Typed]Func::call_async` future
+
+This is an entry in the RustSec database for the Wasmtime security advisory
+located at
+https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94
+For more information see the GitHub-hosted security advisory.

commit cargo-audit-advisory-db for openSUSE:Factory

Reply via email to