Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2021-05-08 22:07:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.2988 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Sat May 8 22:07:36 2021 rev:5 rq:891454 version:20210507
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2021-04-29 01:38:59.310628453 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.2988/cargo-audit-advisory-db.changes
2021-05-08 22:08:46.937388011 +0200
@@ -1,0 +2,15 @@
+Fri May 07 03:16:33 UTC 2021 - wbr...@suse.de
+
+- Update to version 20210507:
+ * Assigned RUSTSEC-2021-0064 to cpuid-bool (#905)
+ * Add unmaintained crate advisory for `cpuid-bool` (#904)
+ * Assigned RUSTSEC-2021-0063 to comrak (#903)
+ * Add advisory for another comrak XSS (#902)
+ * aes* crates: add crate names to advisory titles (#901)
+ * Assigned RUSTSEC-2021-0062 to miscreant (#900)
+ * Add unmaintained crate advisory for `miscreant` (#899)
+ * Assigned RUSTSEC-2021-0061 to aes-ctr (#898)
+ * Add unmaintained crate advisory for `aes-ctr` (#897)
+ * Assigned RUSTSEC-2021-0060 to aes-soft (#896)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20210428.tar.xz
New:
----
advisory-db-20210507.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.lHwoUc/_old 2021-05-08 22:08:47.469385707 +0200
+++ /var/tmp/diff_new_pack.lHwoUc/_new 2021-05-08 22:08:47.473385690 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20210428
+Version: 20210507
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.lHwoUc/_old 2021-05-08 22:08:47.505385551 +0200
+++ /var/tmp/diff_new_pack.lHwoUc/_new 2021-05-08 22:08:47.509385534 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20210428</param>
+ <param name="version">20210507</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">wbr...@suse.de</param>
++++++ advisory-db-20210428.tar.xz -> advisory-db-20210507.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210428/.duplicate-id-guard
new/advisory-db-20210507/.duplicate-id-guard
--- old/advisory-db-20210428/.duplicate-id-guard 2021-04-19
18:31:05.000000000 +0200
+++ new/advisory-db-20210507/.duplicate-id-guard 2021-05-07
01:45:32.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-eb74c8b3b8a4e2af330ec03f3788ec9eaf23a4184b1a97ae893ea6ec3cad792d -
+0ebb4b8968ecfc3c4e67cc1851642dfa8b0b61fe7bde39d0807e3cebe51000c2 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/.github/workflows/assign-ids.yml
new/advisory-db-20210507/.github/workflows/assign-ids.yml
--- old/advisory-db-20210428/.github/workflows/assign-ids.yml 2021-04-19
18:31:05.000000000 +0200
+++ new/advisory-db-20210507/.github/workflows/assign-ids.yml 2021-05-07
01:45:32.000000000 +0200
@@ -15,12 +15,12 @@
uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.3.4
+ key: rustsec-admin-v0.4.2
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.3.4
+ cargo install rustsec-admin --vers 0.4.2
fi
- name: Assign IDs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/.github/workflows/publish-web.yml
new/advisory-db-20210507/.github/workflows/publish-web.yml
--- old/advisory-db-20210428/.github/workflows/publish-web.yml 2021-04-19
18:31:05.000000000 +0200
+++ new/advisory-db-20210507/.github/workflows/publish-web.yml 2021-05-07
01:45:32.000000000 +0200
@@ -14,10 +14,10 @@
- uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.4.0
+ key: rustsec-admin-v0.4.2
- run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.4.0
+ cargo install rustsec-admin --vers 0.4.2
fi
rustsec-admin web .
git config user.name github-actions
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210428/.github/workflows/validate.yml
new/advisory-db-20210507/.github/workflows/validate.yml
--- old/advisory-db-20210428/.github/workflows/validate.yml 2021-04-19
18:31:05.000000000 +0200
+++ new/advisory-db-20210507/.github/workflows/validate.yml 2021-05-07
01:45:32.000000000 +0200
@@ -16,12 +16,12 @@
uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.3.4
+ key: rustsec-admin-v0.4.2
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.3.4
+ cargo install rustsec-admin --vers 0.4.2
fi
- name: Lint advisories
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/aes-ctr/RUSTSEC-2021-0061.md
new/advisory-db-20210507/crates/aes-ctr/RUSTSEC-2021-0061.md
--- old/advisory-db-20210428/crates/aes-ctr/RUSTSEC-2021-0061.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/aes-ctr/RUSTSEC-2021-0061.md
2021-05-07 01:45:32.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0061"
+package = "aes-ctr"
+date = "2021-04-29"
+informational = "unmaintained"
+url = "https://github.com/RustCrypto/block-ciphers/pull/200";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# `aes-ctr` has been merged into the `aes` crate
+
+Please use the `aes` crate going forward. The new repository location is at:
+
+<https://github.com/RustCrypto/block-ciphers/tree/master/aes>
+
+The `aes` crate now has an optional `ctr` feature which autodetects SIMD
+features on `i686`/`x86-64` targets and uses them if available, or otherwise
+falls back to the implementation in the `ctr` crate.
+
+If you would prefer not to have this autodetection performed, use the `aes`
+crate directly with the `ctr` crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/aes-soft/RUSTSEC-2021-0060.md
new/advisory-db-20210507/crates/aes-soft/RUSTSEC-2021-0060.md
--- old/advisory-db-20210428/crates/aes-soft/RUSTSEC-2021-0060.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/aes-soft/RUSTSEC-2021-0060.md
2021-05-07 01:45:32.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0060"
+package = "aes-soft"
+date = "2021-04-29"
+informational = "unmaintained"
+url = "https://github.com/RustCrypto/block-ciphers/pull/200";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# `aes-soft` has been merged into the `aes` crate
+
+Please use the `aes` crate going forward. The new repository location is at:
+
+<https://github.com/RustCrypto/block-ciphers/tree/master/aes>
+
+AES-NI is now autodetected at runtime on `i686`/`x86-64` platforms.
+If AES-NI is not present, the `aes` crate will fallback to a constant-time
+portable software implementation.
+
+To force the use of a constant-time portable implementation on these platforms,
+even if AES-NI is available, use the new `force-soft` feature of the `aes`
+crate to disable autodetection.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/aesni/RUSTSEC-2021-0059.md
new/advisory-db-20210507/crates/aesni/RUSTSEC-2021-0059.md
--- old/advisory-db-20210428/crates/aesni/RUSTSEC-2021-0059.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/aesni/RUSTSEC-2021-0059.md 2021-05-07
01:45:32.000000000 +0200
@@ -0,0 +1,30 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0059"
+package = "aesni"
+date = "2021-04-29"
+informational = "unmaintained"
+url = "https://github.com/RustCrypto/block-ciphers/pull/200";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# `aesni` has been merged into the `aes` crate
+
+Please use the `aes` crate going forward. The new repository location is at:
+
+<https://github.com/RustCrypto/block-ciphers/tree/master/aes>
+
+AES-NI is now autodetected at runtime on `i686`/`x86-64` platforms.
+If AES-NI is not present, the `aes` crate will fallback to a constant-time
+portable software implementation.
+
+To prevent this fallback (and have absence of AES-NI result in an illegal
+instruction crash instead), continue to pass the same RUSTFLAGS which were
+previously required for the `aesni` crate to compile:
+
+```
+RUSTFLAGS=-Ctarget-feature=+aes,+ssse3
+```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/comrak/RUSTSEC-2021-0063.md
new/advisory-db-20210507/crates/comrak/RUSTSEC-2021-0063.md
--- old/advisory-db-20210428/crates/comrak/RUSTSEC-2021-0063.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/comrak/RUSTSEC-2021-0063.md 2021-05-07
01:45:32.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0063"
+package = "comrak"
+date = "2021-05-04"
+url = "https://github.com/kivikakk/comrak/releases/tag/0.10.1";
+categories = ["format-injection"]
+keywords = ["xss"]
+
+[versions]
+patched = [">= 0.10.1"]
+```
+
+# XSS in `comrak`
+
+[comrak](https://github.com/kivikakk/comrak) operates by default in a "safe"
+mode of operation where unsafe content, such as arbitrary raw HTML or URLs with
+non-standard schemes, are not permitted in the output. This is per the
+reference GFM implementation, [cmark-gfm](https://github.com/github/cmark).
+
+Ampersands were not being correctly escaped in link targets, making it possible
+to fashion unsafe URLs using schemes like `data:` or `javascript:` by entering
+them as HTML entities, e.g. `data:`. The intended
+behaviour, demonstrated upstream, is that these should be escaped and therefore
+harmless, but this behaviour was broken in comrak.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/cpuid-bool/RUSTSEC-2021-0064.md
new/advisory-db-20210507/crates/cpuid-bool/RUSTSEC-2021-0064.md
--- old/advisory-db-20210428/crates/cpuid-bool/RUSTSEC-2021-0064.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/cpuid-bool/RUSTSEC-2021-0064.md
2021-05-07 01:45:32.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0064"
+package = "cpuid-bool"
+date = "2021-05-06"
+informational = "unmaintained"
+url = "https://github.com/RustCrypto/utils/pull/381";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# `cpuid-bool` has been renamed to `cpufeatures`
+
+Please use the `cpufeatures`` crate going forward:
+
+<https://github.com/RustCrypto/utils/tree/master/cpufeatures>
+
+There will be no further releases of `cpuid-bool`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/miscreant/RUSTSEC-2021-0062.md
new/advisory-db-20210507/crates/miscreant/RUSTSEC-2021-0062.md
--- old/advisory-db-20210428/crates/miscreant/RUSTSEC-2021-0062.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/miscreant/RUSTSEC-2021-0062.md
2021-05-07 01:45:32.000000000 +0200
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0062"
+package = "miscreant"
+date = "2021-02-28"
+informational = "unmaintained"
+url =
"https://github.com/miscreant/miscreant.rs/commit/5d921f579e0c2b9960d472cf377b8487d97fbcec";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# project abandoned; migrate to the `aes-siv` crate
+
+The Miscreant project has been abandoned and archived.
+
+The Rust implementation has been adapted into the new `aes-siv` crate which
+implements both the AES-CMAC-SIV and AES-PMAC-SIV constructions:
+
+<https://github.com/RustCrypto/AEADs/tree/master/aes-siv>
+
+Please migrate to the `aes-siv` crate.
+
+Alternatively see the `aes-gcm-siv` crate for a newer, faster construction
+which provides similar properties:
+
+<https://github.com/RustCrypto/AEADs/tree/master/aes-gcm-siv>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/openssl-src/RUSTSEC-2021-0055.md
new/advisory-db-20210507/crates/openssl-src/RUSTSEC-2021-0055.md
--- old/advisory-db-20210428/crates/openssl-src/RUSTSEC-2021-0055.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/openssl-src/RUSTSEC-2021-0055.md
2021-05-07 01:45:32.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0055"
+package = "openssl-src"
+aliases = ["CVE-2021-3449"]
+categories = ["denial-of-service"]
+date = "2021-05-01"
+url = "https://www.openssl.org/news/secadv/20210325.txt";
+
+[versions]
+patched = [">= 111.15"]
+```
+
+# NULL pointer deref in signature_algorithms processing
+
+An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
+ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
+the signature_algorithms extension (where it was present in the initial
+ClientHello), but includes a signature_algorithms_cert extension then a NULL
+pointer dereference will result, leading to a crash and a denial of service
+attack.
+
+A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
+is the default configuration). OpenSSL TLS clients are not impacted by this
+issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/openssl-src/RUSTSEC-2021-0056.md
new/advisory-db-20210507/crates/openssl-src/RUSTSEC-2021-0056.md
--- old/advisory-db-20210428/crates/openssl-src/RUSTSEC-2021-0056.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/openssl-src/RUSTSEC-2021-0056.md
2021-05-07 01:45:32.000000000 +0200
@@ -0,0 +1,40 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0056"
+package = "openssl-src"
+aliases = ["CVE-2021-3450"]
+categories = ["crypto-failure"]
+date = "2021-05-01"
+url = "https://www.openssl.org/news/secadv/20210325.txt";
+
+[versions]
+patched = [">= 111.15"]
+unaffected = ["< 111.11"]
+```
+
+# CA certificate check bypass with X509_V_FLAG_X509_STRICT
+
+The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
+certificates present in a certificate chain. It is not set by default.
+
+Starting from OpenSSL version 1.1.1h a check to disallow certificates in
+the chain that have explicitly encoded elliptic curve parameters was added
+as an additional strict check.
+
+An error in the implementation of this check meant that the result of a
+previous check to confirm that certificates in the chain are valid CA
+certificates was overwritten. This effectively bypasses the check
+that non-CA certificates must not be able to issue other certificates.
+
+If a "purpose" has been configured then there is a subsequent opportunity
+for checks that the certificate is a valid CA. All of the named "purpose"
+values implemented in libcrypto perform this check. Therefore, where
+a purpose is set the certificate chain will still be rejected even when the
+strict flag has been used. A purpose is set by default in libssl client and
+server certificate verification routines, but it can be overridden or
+removed by an application.
+
+In order to be affected, an application must explicitly set the
+X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
+for the certificate verification or, in the case of TLS client or server
+applications, override the default purpose.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/openssl-src/RUSTSEC-2021-0057.md
new/advisory-db-20210507/crates/openssl-src/RUSTSEC-2021-0057.md
--- old/advisory-db-20210428/crates/openssl-src/RUSTSEC-2021-0057.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/openssl-src/RUSTSEC-2021-0057.md
2021-05-07 01:45:32.000000000 +0200
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0057"
+package = "openssl-src"
+aliases = ["CVE-2021-23840"]
+categories = ["denial-of-service"]
+date = "2021-05-01"
+url = "https://www.openssl.org/news/secadv/20210216.txt";
+
+[versions]
+patched = [">= 111.14"]
+```
+
+# Integer overflow in CipherUpdate
+
+Calls to `EVP_CipherUpdate`, `EVP_EncryptUpdate` and `EVP_DecryptUpdate` may
overflow
+the output length argument in some cases where the input length is close to the
+maximum permissable length for an integer on the platform. In such cases the
+return value from the function call will be 1 (indicating success), but the
+output length value will be negative. This could cause applications to behave
+incorrectly or crash.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/openssl-src/RUSTSEC-2021-0058.md
new/advisory-db-20210507/crates/openssl-src/RUSTSEC-2021-0058.md
--- old/advisory-db-20210428/crates/openssl-src/RUSTSEC-2021-0058.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/openssl-src/RUSTSEC-2021-0058.md
2021-05-07 01:45:32.000000000 +0200
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0058"
+package = "openssl-src"
+aliases = ["CVE-2021-23841"]
+categories = ["denial-of-service"]
+date = "2021-05-01"
+url = "https://www.openssl.org/news/secadv/20210216.txt";
+
+[versions]
+patched = [">= 111.14"]
+```
+
+# Null pointer deref in `X509_issuer_and_serial_hash()`
+
+The OpenSSL public API function `X509_issuer_and_serial_hash()` attempts to
+create a unique hash value based on the issuer and serial number data contained
+within an X509 certificate. However it fails to correctly handle any errors
+that may occur while parsing the issuer field (which might occur if the issuer
+field is maliciously constructed). This may subsequently result in a NULL
+pointer deref and a crash leading to a potential denial of service attack.
+
+The function `X509_issuer_and_serial_hash()` is never directly called by
OpenSSL
+itself so applications are only vulnerable if they use this function directly
+and they use it on certificates that may have been obtained from untrusted
+sources.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210428/crates/rkyv/RUSTSEC-2021-0054.md
new/advisory-db-20210507/crates/rkyv/RUSTSEC-2021-0054.md
--- old/advisory-db-20210428/crates/rkyv/RUSTSEC-2021-0054.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210507/crates/rkyv/RUSTSEC-2021-0054.md 2021-05-07
01:45:32.000000000 +0200
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0054"
+package = "rkyv"
+date = "2021-04-28"
+url = "https://github.com/djkoloski/rkyv/issues/113";
+categories = ["memory-exposure"]
+keywords = ["uninitialized", "memory", "information", "leak"]
+
+[versions]
+patched = [">= 0.6.0"]
+
+[affected]
+functions = { "rkyv::Archive::resolve" = ["< 0.6.0"] }
+```
+
+# Archives may contain uninitialized memory
+
+`rkyv` is a serialization framework that writes struct-compatible memory to be
stored or
+transmitted. During serialization, struct padding bytes and unused enum bytes
may not be
+initialized. These bytes may be written to disk or sent over unsecured
channels.
