Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cargo-audit-advisory-db for 
openSUSE:Factory checked in at 2026-07-07 21:03:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
 and      /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "cargo-audit-advisory-db"

Tue Jul  7 21:03:48 2026 rev:55 rq:1364146 version:20260707

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
  2026-06-18 18:42:42.730261977 +0200
+++ 
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1982/cargo-audit-advisory-db.changes
        2026-07-07 21:06:23.228883358 +0200
@@ -1,0 +2,15 @@
+Tue Jul 07 04:09:23 UTC 2026 - [email protected]
+
+- Update to version 20260707:
+  * Assigned RUSTSEC-2026-0204 to crossbeam-epoch
+  * Add advisory for invalid pointer dereference in fmt::Pointer impl for 
crossbeam_epoch::{Atomic,Shared}
+  * Bump actions/cache from 5.0.5 to 6.1.0
+  * Assigned RUSTSEC-2026-0203 to tree-sitter-perl-next
+  * Add tree-sitter-perl-next unmaintained advisory (#3039)
+  * Assigned RUSTSEC-2026-0202 to cxx
+  * Add advisory for cxx let_cxx_string unsoundness (#3037)
+  * Assigned RUSTSEC-2026-0201 to fulgur
+  * Add advisory for fulgur: blank-page DoS via non-painting replaced elements
+  * Assigned RUSTSEC-2026-0200 to fulgur
+
+-------------------------------------------------------------------

Old:
----
  advisory-db-20260618.tar.xz

New:
----
  advisory-db-20260707.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.dkvNRq/_old  2026-07-07 21:06:23.984909822 +0200
+++ /var/tmp/diff_new_pack.dkvNRq/_new  2026-07-07 21:06:23.984909822 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           cargo-audit-advisory-db
-Version:        20260618
+Version:        20260707
 Release:        0
 Summary:        A database of known security issues for Rust depedencies
 License:        CC0-1.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.dkvNRq/_old  2026-07-07 21:06:24.028911363 +0200
+++ /var/tmp/diff_new_pack.dkvNRq/_new  2026-07-07 21:06:24.036911643 +0200
@@ -2,7 +2,7 @@
   <service mode="disabled" name="obs_scm">
     <param name="url">https://github.com/RustSec/advisory-db.git</param>
     <param name="scm">git</param>
-    <param name="version">20260618</param>
+    <param name="version">20260707</param>
     <param name="revision">main</param>
     <param name="changesgenerate">enable</param>
     <param name="changesauthor">[email protected]</param>

++++++ advisory-db-20260618.tar.xz -> advisory-db-20260707.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20260618/.duplicate-id-guard 
new/advisory-db-20260707/.duplicate-id-guard
--- old/advisory-db-20260618/.duplicate-id-guard        2026-06-17 
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.duplicate-id-guard        2026-07-07 
00:19:41.000000000 +0200
@@ -1,3 +1,3 @@
 This file causes merge conflicts if two ID assignment jobs run concurrently.
 This prevents duplicate ID assignment due to a race between those jobs.
-ce908ba0f99bbc5d19908680c6393bf7fdb9644c0b9771f658809f753f55baaa  -
+cb6b18bc8f1ac5859aefcd4938ed9bd890f6f4f3ea4eb4314bed1cec97f8669c  -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/.github/workflows/assign-ids.yml 
new/advisory-db-20260707/.github/workflows/assign-ids.yml
--- old/advisory-db-20260618/.github/workflows/assign-ids.yml   2026-06-17 
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/assign-ids.yml   2026-07-07 
00:19:41.000000000 +0200
@@ -14,20 +14,20 @@
       contents: write # for create-pull-request
       pull-requests: write # for create-pull-request
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 
v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 
v7.0.0
         with:
           persist-credentials: false
 
       - name: Cache cargo bin
         id: admin-cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
         with:
           path: ~/.cargo/bin
-          key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+          key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - name: Install rustsec-admin
         if: steps.admin-cache.outputs.cache-hit != 'true'
-        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - name: Assign IDs
         id: assign
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/.github/workflows/export-osv.yml 
new/advisory-db-20260707/.github/workflows/export-osv.yml
--- old/advisory-db-20260618/.github/workflows/export-osv.yml   2026-06-17 
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/export-osv.yml   2026-07-07 
00:19:41.000000000 +0200
@@ -12,20 +12,20 @@
     permissions:
       contents: write # needed for pushing back to the repo
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 
v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 
v7.0.0
         with:
           ref: osv
           persist-credentials: true # persists the token for git push below
 
-      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
         id: admin-cache
         with:
           path: ~/.cargo/bin
-          key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+          key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - name: Install rustsec-admin
         if: steps.admin-cache.outputs.cache-hit != 'true'
-        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - run: |
           mkdir -p crates
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/.github/workflows/publish-web.yml 
new/advisory-db-20260707/.github/workflows/publish-web.yml
--- old/advisory-db-20260618/.github/workflows/publish-web.yml  2026-06-17 
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/publish-web.yml  2026-07-07 
00:19:41.000000000 +0200
@@ -12,20 +12,20 @@
     permissions:
       contents: write # needed for pushing back to the repo
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 
v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 
v7.0.0
         with:
           ref: gh-pages
           persist-credentials: true # persists the token for git push below
 
-      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
         id: admin-cache
         with:
           path: ~/.cargo/bin
-          key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+          key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - name: Install rustsec-admin
         if: steps.admin-cache.outputs.cache-hit != 'true'
-        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - run: |
           rustsec-admin web .
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20260618/.github/workflows/sync-ids.yml 
new/advisory-db-20260707/.github/workflows/sync-ids.yml
--- old/advisory-db-20260618/.github/workflows/sync-ids.yml     2026-06-17 
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/sync-ids.yml     2026-07-07 
00:19:41.000000000 +0200
@@ -16,20 +16,20 @@
       contents: write # for create-pull-request
       pull-requests: write # for create-pull-request
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 
v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 
v7.0.0
         with:
           persist-credentials: false
 
       - name: Cache cargo bin
         id: admin-cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
         with:
           path: ~/.cargo/bin
-          key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+          key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - name: Install rustsec-admin
         if: steps.admin-cache.outputs.cache-hit != 'true'
-        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - name: Synchronize IDs
         id: sync_ids
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20260618/.github/workflows/validate.yml 
new/advisory-db-20260707/.github/workflows/validate.yml
--- old/advisory-db-20260618/.github/workflows/validate.yml     2026-06-17 
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/validate.yml     2026-07-07 
00:19:41.000000000 +0200
@@ -12,20 +12,20 @@
     name: Lint advisories
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 
v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 
v7.0.0
         with:
           persist-credentials: false
 
       - name: Cache cargo bin
         id: admin-cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
         with:
           path: ~/.cargo/bin
-          key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+          key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - name: Install rustsec-admin
         if: steps.admin-cache.outputs.cache-hit != 'true'
-        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+        run: cargo install --git https://github.com/rustsec/rustsec 
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
 
       - name: Lint advisories
         run: rustsec-admin lint
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/ammonia/RUSTSEC-2026-0193.md 
new/advisory-db-20260707/crates/ammonia/RUSTSEC-2026-0193.md
--- old/advisory-db-20260618/crates/ammonia/RUSTSEC-2026-0193.md        
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/ammonia/RUSTSEC-2026-0193.md        
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,51 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0193"
+package = "ammonia"
+date = "2026-06-30"
+categories = ["format-injection"]
+keywords = ["html", "xss"]
+aliases = ["GHSA-9jh8-v38h-cvhr"]
+
+[versions]
+patched = [">= 4.1.3", ">= 4.0.2, < 4.1.0", ">= 3.3.2, < 4.0.0"]
+```
+
+# mXSS in ammonia via MathML `annotation-xml` encoding strip
+
+If a certain set of MathML tags are enabled, an attacker can inject arbitrary 
JavaScript code into the user's browser.
+
+The `annotation-xml` tag has slightly different behavior than the other 
"integration point"
+tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly
+strip the namespace-incompatible tags.
+
+This vulnerability only has an effect when the `math` and `annotation-xml` tags
+are both enabled, but the `encoding` attribute is disabled, because it relies
+on the following sequence of steps:
+
+1. User writes code like `<math><annotation-xml 
encoding="text/html"><gadget></annotation-xml></math>`.
+2. Namespace filtering checks the DOM, and it passes. `<gadget>` is parsed as 
HTML.
+3. Attribute filter strips it down to 
`<math><annotation-xml><gadget></annotation-xml></math>`. Because the encoding 
attribute is gone, `<gadget>` is now parsed as MathML.
+4. The gadget is written in such a way that it exploits the parsing 
differences between HTML and MathML.
+
+Additionally, the gadget can only be written using a tag that is parsed as raw 
text in HTML.
+These [elements] are:
+
+* title
+* textarea
+* xmp
+* iframe
+* noembed
+* noframes
+* plaintext
+* noscript
+* style
+* script
+
+Applications that do not explicitly allow any of these tags should not be 
affected, since none are allowed by default.
+
+[elements]: 
https://github.com/servo/html5ever/blob/045a0378f2b0f8d4a350793899cf722a2a9b3d11/html5ever/src/tree_builder/rules.rs
+
+---
+
+**Discovered by:** ivan0912 (YesWeHack) · **Date:** 2026-06-29 · Found via 
local differential analysis and source review of ammonia's sanitisation 
pipeline; no third-party systems were tested.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/anyhow/RUSTSEC-2026-0190.md 
new/advisory-db-20260707/crates/anyhow/RUSTSEC-2026-0190.md
--- old/advisory-db-20260618/crates/anyhow/RUSTSEC-2026-0190.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/anyhow/RUSTSEC-2026-0190.md 2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,70 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0190"
+package = "anyhow"
+date = "2026-06-25"
+url = "https://github.com/dtolnay/anyhow/issues/451";
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["unsound", "downcast_mut"]
+
+[affected.functions]
+"anyhow::Error::downcast_mut" = ["< 1.0.103"]
+
+[versions]
+patched = [">= 1.0.103"]
+```
+
+# Unsoundness in `Error::downcast_mut()`
+
+Affected versions of this crate violate borrow rules, resulting in undefined 
behavior, when the user adds context to an error via `Error::context` and then 
later calls `Error::downcast_mut` on the returned `Error`.
+
+The flaw was corrected in commit `6e8c000` by revising how the mutable 
reference is constructed, avoiding inclusion of a shared reference in the 
resulting borrow chain.
+
+## Example
+
+```rust
+use anyhow::Error;
+use std::fmt;
+
+#[derive(Debug)]
+struct ErrorContext(&'static str);
+
+impl fmt::Display for ErrorContext {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        fmt::Display::fmt(&self.0, f)
+    }
+}
+
+fn main() {
+    let mut error = Error::msg("inner error").context(ErrorContext("old 
context"));
+    let context: &mut ErrorContext = error.downcast_mut().unwrap();
+    context.0 = "new context";
+    println!("{:?}", error);
+}
+```
+
+## Miri output
+
+```
+error: Undefined Behavior: trying to retag from <1538> for Unique permission 
at alloc602[0x38], but that tag only grants SharedReadOnly permission for this 
location
+   --> src/ptr.rs:170:18
+    |
+170 |         unsafe { &mut *self.ptr.as_ptr() }
+    |                  ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of 
retag at alloc602[0x38..0x48]
+    |
+    = help: this indicates a potential bug in the program: it performed an 
invalid operation, but the Stacked Borrows rules it violated are still 
experimental
+    = help: see 
https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md
 for further information
+help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48]
+   --> src/ptr.rs:89:18
+    |
+ 89 |             ptr: NonNull::from(ptr),
+    |                  ^^^^^^^^^^^^^^^^^^
+    = note: stack backtrace:
+            0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut
+                at src/ptr.rs:170:18: 170:41
+            1: anyhow::error::<impl 
anyhow::Error>::downcast_mut::<ErrorContext>
+                at src/error.rs:560:18: 560:46
+            2: main
+                at examples/downcast_mut.rs:15:38: 15:58
+```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/bcrypt/RUSTSEC-2026-0199.md 
new/advisory-db-20260707/crates/bcrypt/RUSTSEC-2026-0199.md
--- old/advisory-db-20260618/crates/bcrypt/RUSTSEC-2026-0199.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/bcrypt/RUSTSEC-2026-0199.md 2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,74 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0199"
+package = "bcrypt"
+date = "2026-06-20"
+url = "https://github.com/Keats/rust-bcrypt/pull/103";
+references = [
+    "https://github.com/Keats/rust-bcrypt/issues/62";,
+    "https://github.com/Keats/rust-bcrypt/pull/95";,
+    
"https://github.com/Keats/rust-bcrypt/commit/f5f1ee2862c1198a85afe3c2f8cd80835162b7e9";,
+]
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+keywords = ["panic", "utf-8", "denial-of-service"]
+
+[versions]
+patched = [">= 0.19.2"]
+unaffected = ["< 0.19.0"]
+```
+
+# Panic in `bcrypt::verify` on non-ASCII hash input
+
+`bcrypt::verify(password, hash)` and `HashParts::from_str(hash)` panic in
+`str::slice_error_fail` when given a 60-byte `&str` containing a multi-byte
+UTF-8 character at certain byte positions.
+
+## Impact
+
+Any Rust code that calls `bcrypt::verify` (or `HashParts::from_str`) with an
+attacker-controlled hash string will panic. The `bcrypt` crate is
+`#![forbid(unsafe_code)]`, so this is limited to a denial-of-service and
+cannot lead to memory corruption.
+
+Realistic attack contexts include:
+
+- Rust authentication services reading hashes from a database that was
+  previously compromised via, e.g., SQL injection. The attacker can then
+  crash the service on every login attempt against the tampered account.
+- CLI tools accepting hashes from stdin or command-line arguments.
+- Password managers or vault services loading hashes from untrusted
+  configuration sources.
+
+## Root cause
+
+`split_hash` performed five `&str` slicing operations on the input hash:
+`&hash[1..3]`, `&hash[4..6]`, `&hash[7..]`, `&salt_and_hash[..22]`, and
+`&salt_and_hash[22..]`. None of these were char-boundary-checked. Any input
+where a multi-byte UTF-8 character spanned one of those byte positions
+caused a panic.
+
+This is a regression of the fix originally shipped in 2021 for issue #62
+(commit `0833509`). The regression was introduced in the parser rewrite in
+PR #95 (commit `e9a8394`, released as 0.19.0).
+
+The pre-existing regression test `does_no_error_on_char_boundary_splitting`
+was not removed, but was silently rendered ineffective by the new
+`bytes[0] != b'$'` guard, which rejected its input earlier and prevented
+it from reaching the buggy slices — leaving CI green through the regression.
+
+## Fix
+
+`split_hash` now rejects any hash string containing non-ASCII bytes up
+front. A valid bcrypt hash is always exactly 60 ASCII bytes, so this
+closes the entire class of byte-boundary panics rather than guarding each
+slice individually.
+
+The fix was merged in PR #103 and released as `bcrypt 0.19.2` on 2026-06-20.
+
+## Downstream impact
+
+`pyca/bcrypt` (which depended on `bcrypt 0.19.1`) is **not** affected. Its
+Python-side wrapper performs its own byte-level salt parsing before
+invoking `bcrypt::hash_with_salt`, and never reaches the buggy code path
+in `split_hash` or `verify`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/cgmath/RUSTSEC-2026-0196.md 
new/advisory-db-20260707/crates/cgmath/RUSTSEC-2026-0196.md
--- old/advisory-db-20260618/crates/cgmath/RUSTSEC-2026-0196.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/cgmath/RUSTSEC-2026-0196.md 2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0196"
+package = "cgmath"
+date = "2026-07-01"
+url = 
"https://github.com/rustsec/advisory-db/pull/2910#pullrequestreview-4611570365";
+references = ["https://github.com/rustgd/cgmath/issues/565";]
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `cgmath` is unmaintained
+
+The `cgmath` crate is no longer maintained.
+
+Users should consider switching to a maintained alternative.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/cgmath/RUSTSEC-2026-0197.md 
new/advisory-db-20260707/crates/cgmath/RUSTSEC-2026-0197.md
--- old/advisory-db-20260618/crates/cgmath/RUSTSEC-2026-0197.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/cgmath/RUSTSEC-2026-0197.md 2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0197"
+package = "cgmath"
+date = "2026-03-11"
+url = "https://github.com/rustgd/cgmath/issues/565";
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["soundness", "undefined-behavior", "aliasing", "stacked-borrows"]
+
+[affected.functions]
+"cgmath::Matrix2::swap_columns" = ["= 0.18.0"]
+"cgmath::Matrix3::swap_columns" = ["= 0.18.0"]
+"cgmath::Matrix4::swap_columns" = ["= 0.18.0"]
+
+[versions]
+patched = []
+```
+
+# `Matrix{2,3,4}::swap_columns` can trigger undefined behavior for identical 
indices
+
+The `Matrix2::swap_columns`, `Matrix3::swap_columns`, and 
`Matrix4::swap_columns`
+implementations call `ptr::swap(&mut self[a], &mut self[b])`.
+
+When `a == b`, these safe APIs create two mutable references to the same matrix
+column and pass them to `ptr::swap`. This violates Rust's aliasing rules and 
can
+trigger undefined behavior. The issue can be reproduced from safe Rust by 
calling
+`swap_columns` with identical column indices, for example `m.swap_columns(0, 
0)`.
+
+A minimal fix is to return early when the two column indices are equal before
+calling `ptr::swap`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/crossbeam-epoch/RUSTSEC-2026-0204.md 
new/advisory-db-20260707/crates/crossbeam-epoch/RUSTSEC-2026-0204.md
--- old/advisory-db-20260618/crates/crossbeam-epoch/RUSTSEC-2026-0204.md        
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/crossbeam-epoch/RUSTSEC-2026-0204.md        
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0204"
+package = "crossbeam-epoch"
+date = "2026-07-06"
+url = "https://github.com/crossbeam-rs/crossbeam/pull/1276";
+keywords = ["NULL-pointer-dereference"]
+aliases = []
+
+[versions]
+patched = [">= 0.9.20"]
+unaffected = ["< 0.9.0"]
+```
+
+# Invalid pointer dereference in `fmt::Pointer` impl for `Atomic` and `Shared` 
when the underlying pointer is invalid
+
+Affected versions of `fmt::Display` dereference the underlying pointer. This 
causes a invalid pointer dereference e.g., when a pointer created with 
`Atomic::null` or `Shared::null`. `fmt::Debug` impls and pre-0.9 `fmt::Display` 
impls, which do not dereference pointers, are not affected by this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20260618/crates/cxx/RUSTSEC-2026-0202.md 
new/advisory-db-20260707/crates/cxx/RUSTSEC-2026-0202.md
--- old/advisory-db-20260618/crates/cxx/RUSTSEC-2026-0202.md    1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/cxx/RUSTSEC-2026-0202.md    2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0202"
+package = "cxx"
+date = "2026-07-05"
+url = "https://github.com/dtolnay/cxx/issues/1729";
+informational = "unsound"
+categories = ["memory-exposure"]
+keywords = ["exception", "unwind"]
+
+[affected]
+#arch = ["x86", "x86_64"]
+#os = ["windows"]
+
+[affected.functions]
+"cxx::let_cxx_string" = ["< 1.0.195"]
+
+[versions]
+patched = [">= 1.0.195"]
+```
+
+# `let_cxx_string!` uses uninitialized value due to exception safety violations
+
+In affected versions of this crate, `let_cxx_string!` is not exception safe. 
After creating the `StackString`, if `match $value` panics, the content of 
`StackString` is not yet initialized, while the drop implementation of 
`StackString` unconditionally deinitializes the content, leading to use of 
uninitialized value.
+
+The soundness issue was fixed in version `1.0.195` by moving drop logics to 
separate drop guard after initializing the `StackString`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/error-stack/RUSTSEC-2026-0198.md 
new/advisory-db-20260707/crates/error-stack/RUSTSEC-2026-0198.md
--- old/advisory-db-20260618/crates/error-stack/RUSTSEC-2026-0198.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/error-stack/RUSTSEC-2026-0198.md    
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,34 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0198"
+package = "error-stack"
+date = "2026-07-03"
+url = "https://github.com/hashintel/hash/issues/8945";
+references = ["https://github.com/hashintel/hash/pull/8946";]
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["aliasing"]
+
+[versions]
+patched = [">= 0.8.0"]
+
+[affected]
+functions = { "error_stack::Report::frames_mut" = ["*"] }
+```
+
+# `Report::frames_mut` allows aliased mutable references
+
+Affected versions of this crate return an iterator from
+`Report::frames_mut` whose `&mut Frame` items have lifetimes independent
+of the iterator, so all yielded references can be held at the same time.
+A yielded frame's sources are also yielded by the iterator and reachable
+through the parent frame via `Frame::sources_mut`, allowing safe code to
+obtain two live mutable references to the same frame. This is undefined
+behavior and can be used to cause a segmentation fault (see reproducer in
+the linked issue). Versions 0.1.0 and 0.1.1 are affected through
+`Frame::source_mut` instead of `Frame::sources_mut`.
+
+The flaw is fixed in 0.8.0 by replacing the iterator with internal
+iteration: `Report::frames_mut` now takes a visitor closure, so mutable
+access to a frame is scoped and cannot overlap with access to its
+sources.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/fulgur/RUSTSEC-2026-0200.md 
new/advisory-db-20260707/crates/fulgur/RUSTSEC-2026-0200.md
--- old/advisory-db-20260618/crates/fulgur/RUSTSEC-2026-0200.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/fulgur/RUSTSEC-2026-0200.md 2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,48 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0200"
+package = "fulgur"
+date = "2026-07-05"
+url = 
"https://github.com/fulgur-rs/fulgur/security/advisories/GHSA-j5cx-ph8g-95v3";
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+keywords = ["dos", "pagination", "pdf"]
+aliases = ["GHSA-j5cx-ph8g-95v3"]
+
+[versions]
+patched = [">= 0.19.0"]
+```
+
+# Unbounded page slicing from attacker-controlled CSS height causes denial of 
service
+
+`fulgur` converts untrusted HTML/CSS into PDF, commonly on a server that
+processes input supplied by many tenants. In versions prior to 0.19.0, a
+body-direct child whose CSS-resolved height greatly exceeds the page height was
+sliced into one fragment per page with no upper bound.
+
+The height is taken directly from attacker-controlled HTML/CSS (`height`, `vh`
+units), so a few bytes such as `<div style="height:99999999px"></div>` forced 
on
+the order of 125,000 page fragments. The pagination code then allocates
+`vec![Vec::new(); page_count]` and runs a per-page render loop, resulting in 
CPU
+and memory exhaustion. A non-finite height (one that resolves to `+inf`)
+additionally made the slicing loop's `remaining -= last_slice_h` decrement 
never
+terminate, causing an infinite loop.
+
+An attacker able to submit HTML/CSS to a fulgur-based conversion service can
+trigger this with a trivially small payload, denying service to the host and 
any
+co-tenants.
+
+Fixed in 0.19.0: a `MAX_PAGES` cap bounds the slice loop — halting it even for 
a
+`+inf` height — and non-finite layout heights are sanitized so they can no
+longer drive the loop.
+
+## Attack Vector rationale
+
+`fulgur` performs no network I/O of its own; it renders HTML/CSS handed to it 
by
+the embedding application. This advisory scores the crate independent of any
+specific adopting program, so per the CVSS v3.1 User Guide §3.7 the Attack
+Vector is assessed as Network for the reasonable worst-case deployment — a
+network-facing service that renders untrusted HTML without user interaction. A
+concrete system that receives the HTML in one component and passes it to fulgur
+in a separate component may assess a lower environmental Attack Vector (Local,
+per §3.10).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/fulgur/RUSTSEC-2026-0201.md 
new/advisory-db-20260707/crates/fulgur/RUSTSEC-2026-0201.md
--- old/advisory-db-20260618/crates/fulgur/RUSTSEC-2026-0201.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/fulgur/RUSTSEC-2026-0201.md 2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,53 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0201"
+package = "fulgur"
+date = "2026-07-05"
+url = 
"https://github.com/fulgur-rs/fulgur/security/advisories/GHSA-4rf6-qx84-q9fv";
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+keywords = ["dos", "pagination", "pdf"]
+aliases = ["GHSA-4rf6-qx84-q9fv"]
+
+[versions]
+patched = [">= 0.26.0"]
+```
+
+# Non-painting replaced elements amplify to thousands of blank PDF pages 
(denial of service)
+
+`fulgur` converts untrusted HTML/CSS into PDF, commonly on a server that
+processes input supplied by many tenants. In versions prior to 0.26.0, a
+childless box that resolves to a pathologically tall height was amplified into
+thousands of blank PDF pages, even when it produces no visible output.
+
+The childless-collapse defense that would normally collapse such a box was 
gated
+by a tag-only "replaced content" check, so any non-painting replaced element
+bypassed it, including an unresolved `src` (the common offline-first case), a
+`visibility:hidden` image, an undecodable image format, and an empty `<svg>`. A
+trailing-sibling variant of the same gap was also open.
+
+A few bytes of HTML therefore amplified into roughly `MAX_PAGES` (10,000) blank
+pages; the renderer allocates and runs a per-page loop over them, producing CPU
+and memory exhaustion. An attacker able to submit HTML to a fulgur-based
+conversion service can trigger this with a trivially small payload, denying
+service to the host and any co-tenants.
+
+Fixed in 0.26.0: the tag-only gate was removed so that any pathologically tall
+childless box collapses regardless of whether it is a replaced element, closing
+the missing-`src`, `visibility:hidden`, undecodable-format, and empty-`<svg>`
+vectors along with the trailing-sibling variant.
+
+Versions prior to 0.19.0 additionally lacked any page-count cap, allowing an
+unbounded (rather than 10,000-page) variant of this amplification; that earlier
+variant is tracked separately as GHSA-j5cx-ph8g-95v3.
+
+## Attack Vector rationale
+
+`fulgur` performs no network I/O of its own; it renders HTML/CSS handed to it 
by
+the embedding application. This advisory scores the crate independent of any
+specific adopting program, so per the CVSS v3.1 User Guide §3.7 the Attack
+Vector is assessed as Network for the reasonable worst-case deployment — a
+network-facing service that renders untrusted HTML without user interaction. A
+concrete system that receives the HTML in one component and passes it to fulgur
+in a separate component may assess a lower environmental Attack Vector (Local,
+per §3.10).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/i_tree/RUSTSEC-2025-0165.md 
new/advisory-db-20260707/crates/i_tree/RUSTSEC-2025-0165.md
--- old/advisory-db-20260618/crates/i_tree/RUSTSEC-2025-0165.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/i_tree/RUSTSEC-2025-0165.md 2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0165"
+package = "i_tree"
+date = "2025-07-04"
+url = "https://github.com/iShape-Rust/iTree/issues/1";
+references = [
+    
"https://github.com/iShape-Rust/iTree/commit/a948b891cf159233bfed5b16bf185268fd9e1985";,
+    "https://github.com/iShape-Rust/iTree/compare/0.9.0...0.10.0";,
+]
+informational = "unsound"
+
+[affected.functions]
+"i_tree::tree::Tree::node" = ["< 0.10.0"]
+"i_tree::tree::Tree::mut_node" = ["< 0.10.0"]
+
+[versions]
+patched = [">= 0.10.0"]
+
+```
+
+# i_tree allowed out-of-bounds access through safe public node accessors
+
+Affected versions of `i_tree` exposed safe public `Tree::node` and 
`Tree::mut_node` methods in the public `tree` module. These methods accepted an 
arbitrary `u32` index and passed it directly to `Vec::get_unchecked` / 
`get_unchecked_mut` on the internal node buffer, without validating that the 
index was in bounds.
+
+Because these methods were safe and public, a caller could pass an 
out-of-bounds index without writing any `unsafe` code, producing an 
out-of-bounds shared or mutable reference and triggering undefined behavior.
+
+Starting with `0.10.0` the crate was restructured and these accessors are no 
longer reachable from outside the crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/i_triangle/RUSTSEC-2025-0164.md 
new/advisory-db-20260707/crates/i_triangle/RUSTSEC-2025-0164.md
--- old/advisory-db-20260618/crates/i_triangle/RUSTSEC-2025-0164.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/i_triangle/RUSTSEC-2025-0164.md     
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0164"
+package = "i_triangle"
+date = "2025-04-24"
+url = "https://github.com/iShape-Rust/iTriangle/issues/4";
+references = [
+    
"https://github.com/iShape-Rust/iTriangle/commit/13e0e9f4d5333e3a815191e5f6f402641997f91b";
+]
+informational = "unsound"
+
+[affected.functions]
+"i_triangle::delaunay::triangle::DTriangle::neighbor_by_order" = [">= 0.24.0", 
"< 0.29.0"]
+"i_triangle::delaunay::triangle::DTriangle::vertex_by_order" = [">= 0.24.0", 
"< 0.29.0"]
+
+[versions]
+patched = [">= 0.29.0"]
+```
+
+# `DTriangle` accessors may read out of bounds in affected versions
+
+In affected versions, `DTriangle::neighbor_by_order` and 
`DTriangle::vertex_by_order` were public safe functions that accepted an
+arbitrary `order` value. These functions used `order` to access fixed-size 
internal arrays with `get_unchecked`, without checking whether `order` was 
within bounds. Calling these methods with an out-of-bounds `order` could cause 
an out-of-bounds read from safe Rust code. This made the old APIs unsound, 
since safe callers could trigger undefined behavior without using `unsafe`.
+
+The issue was fixed in version `0.29.0` as part of a broader rewrite that 
replaced the old triangle implementation with `IntTriangle` and removed the 
affected accessor methods.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/jxl-grid/RUSTSEC-2026-0151.md 
new/advisory-db-20260707/crates/jxl-grid/RUSTSEC-2026-0151.md
--- old/advisory-db-20260618/crates/jxl-grid/RUSTSEC-2026-0151.md       
2026-06-17 15:50:20.000000000 +0200
+++ new/advisory-db-20260707/crates/jxl-grid/RUSTSEC-2026-0151.md       
2026-07-07 00:19:41.000000000 +0200
@@ -5,7 +5,7 @@
 date = "2026-05-29"
 url = 
"https://github.com/tirr-c/jxl-oxide/security/advisories/GHSA-5pmv-rx8r-wmv5";
 categories = ["memory-corruption"]
-aliases = ["GHSA-5pmv-rx8r-wmv5"]
+aliases = ["CVE-2026-52834", "GHSA-5pmv-rx8r-wmv5"]
 
 [versions]
 patched = [">= 0.6.2"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/lopdf/RUSTSEC-2026-0187.md 
new/advisory-db-20260707/crates/lopdf/RUSTSEC-2026-0187.md
--- old/advisory-db-20260618/crates/lopdf/RUSTSEC-2026-0187.md  1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/lopdf/RUSTSEC-2026-0187.md  2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,36 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0187"
+package = "lopdf"
+date = "2026-06-21"
+categories = ["denial-of-service"]
+keywords = ["dos", "stack-overflow", "recursion", "untrusted-input", "pdf"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+references = ["https://github.com/J-F-Liu/lopdf/issues/502";, 
"https://github.com/J-F-Liu/lopdf/pull/503";, 
"https://github.com/J-F-Liu/lopdf/commit/c755394";]
+
+[versions]
+patched = [">= 0.42.0"]
+```
+
+# Stack overflow in lopdf via deeply nested PDF objects
+
+`lopdf::Document::load_mem` (and the other `load*` entry points) parses nested 
PDF arrays and dictionaries with unbounded recursion. A small crafted PDF whose 
Catalog contains a deeply nested array (`/X [[[ … ]]]`, on the order of 10,000 
levels) exhausts the call stack and aborts the process with `SIGABRT`.
+
+Because this is a stack-overflow abort rather than a `panic!`, it cannot be 
caught with `catch_unwind`: any service that parses untrusted PDF input with 
lopdf can be crashed by a ~21 KB file, resulting in a denial of service.
+
+Confirmed on lopdf 0.41.0 and earlier; fixed in 0.42.0. Default configuration, 
no features changed.
+
+## Proof of concept
+
+```rust
+fn main() {
+    let bytes = std::fs::read("poc.pdf").unwrap(); // ~10,380-deep nested 
array in the Catalog
+    let _ = lopdf::Document::load_mem(&bytes);     // stack overflow -> SIGABRT
+}
+```
+
+An equivalent PoC is a minimal PDF whose Catalog `/X` value is `"[" * 10380 + 
"]" * 10380`.
+
+## Suggested fix
+
+Enforce a maximum object-nesting depth in the parser and return an `Err` 
instead of recursing without bound.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/memmap2/RUSTSEC-2026-0186.md 
new/advisory-db-20260707/crates/memmap2/RUSTSEC-2026-0186.md
--- old/advisory-db-20260618/crates/memmap2/RUSTSEC-2026-0186.md        
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/memmap2/RUSTSEC-2026-0186.md        
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,40 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0186"
+package = "memmap2"
+date = "2026-06-20"
+url = "https://github.com/RazrFalcon/memmap2-rs/issues/169";
+references = ["https://github.com/RazrFalcon/memmap2-rs/pull/170";]
+informational = "unsound"
+keywords = ["pointer-arithmetic", "out-of-bounds"]
+
+[affected.functions]
+"memmap2::Mmap::advise_range" = [">= 0.5.9","< 0.9.11"]
+"memmap2::Mmap::unchecked_advise_range" = [">= 0.8.0","< 0.9.11"]
+"memmap2::MmapMut::advise_range" = [">= 0.5.9","< 0.9.11"]
+"memmap2::MmapMut::flush_async_range" = ["< 0.9.11"]
+"memmap2::MmapMut::flush_range" = ["< 0.9.11"]
+"memmap2::MmapMut::unchecked_advise_range" = [">= 0.8.0","< 0.9.11"]
+
+[versions]
+patched = [">= 0.9.11"]
+```
+
+# Unchecked pointer offset in crate `memmap2`
+
+Affected versionf of `memmap2` did not perform enough validation on the 
`offset` and `len` parameters of
+`Mmap::[unchecked_]advise_range()`,
+`MmapMut::[unchecked_]advise_ranage()`
+and `MmapMut::flush[_async]_range()`.
+
+This can cause undefined behavior due to invalid values being passed to 
[`pointer::offset()`] and [`pointer::add()`]
+when passing an out-of-bounds range to any of the affected functions.
+
+The flaw was corrected in commit [`cee7cf0`] and released in version `0.9.11`.
+
+The invalid pointer is not dereferenced,
+but it is passed to the `madvise` and `msync` syscalls and their Windows 
equivalents.
+
+[`pointer::offset()`]: 
https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset-1
+[`pointer::add()`]: 
https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.add-1
+[`cee7cf0`] 
https://github.com/RazrFalcon/memmap2-rs/pull/170/changes/cee7cf03a9ee095982a3c37b7aac8e3f68f1a00c
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/quick-xml/RUSTSEC-2026-0194.md 
new/advisory-db-20260707/crates/quick-xml/RUSTSEC-2026-0194.md
--- old/advisory-db-20260618/crates/quick-xml/RUSTSEC-2026-0194.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/quick-xml/RUSTSEC-2026-0194.md      
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,74 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0194"
+package = "quick-xml"
+date = "2026-06-29"
+url = "https://github.com/tafia/quick-xml/issues/969";
+references = [
+    "https://github.com/tafia/quick-xml/pull/971";,
+    
"https://github.com/tafia/quick-xml/commit/07f3db8343cf152f5bc3483ef5b3164582489bea";,
+]
+categories = ["denial-of-service"]
+keywords = ["xml", "parser", "dos", "algorithmic-complexity", "quadratic"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.41.0"]
+```
+
+# Quadratic run time when checking a start tag for duplicate attribute names
+
+`BytesStart::attributes()` returns an `Attributes` iterator which, by default
+(`with_checks(true)`), rejects a start tag that repeats an attribute name. For
+each attribute yielded, the iterator compared the new name against every name
+seen so far in the same tag using a linear scan, so a start tag with `N`
+distinct attribute names cost `O(N²)` byte comparisons. There was no bound on
+`N` other than the size of the buffered start tag.
+
+## Impact
+
+Any code that parses untrusted XML and iterates a start tag's attributes with
+the default duplicate check enabled can be made to spend CPU time quadratic in
+the number of attributes on a single tag. Because the check is pure computation
+with no `.await`/I/O, an I/O-based timeout on the consumer (for example a read
+or request timeout) cannot interrupt it while it runs.
+
+Measured cost of a single start tag, release build:
+
+| Attributes on one tag | Time |
+|---|---|
+| 80,000  | ~6 s   |
+| 800,000 | ~10 min |
+
+The cost grows with the square of the attribute count, so a start tag of a few
+tens of megabytes can stall a parsing thread for hours. No memory is exhausted
+and the parser does not crash; the effect is CPU exhaustion on the thread doing
+the parsing: a single crafted start tag can pin a CPU core for minutes to 
hours,
+denying service to that worker. A deployment that places a wall-clock bound on
+parsing, or confines it to a non-critical thread, may consider the availability
+impact lower.
+
+## Affected code paths
+
+* `BytesStart::attributes()` / `Attributes` iterated with checks enabled (the
+  default), and `BytesStart::try_get_attribute`.
+* `NsReader`, which resolves namespaces by iterating a tag's attributes and so
+  reaches the same check internally.
+
+Consumers that iterate attributes with `.attributes().with_checks(false)` and 
do
+not use `NsReader` are not affected.
+
+This was reported as reachable by a remote, unauthenticated attacker in a
+real-world RPKI relying party (NLnet Labs Routinator) via a crafted RRDP
+`snapshot.xml`.
+
+## Remediation
+
+Upgrade to `quick-xml >= 0.41.0`, where the duplicate check keeps the linear
+scan for start tags with a small number of attributes and switches to an `O(1)`
+hash pre-filter above a threshold, making the whole tag `O(N)`. The reported
+`AttrError::Duplicated` positions are unchanged.
+
+If upgrading is not possible and duplicate-name detection is not required,
+disable it with `.attributes().with_checks(false)` (this does not help
+`NsReader` consumers, which have no equivalent opt-out before 0.41.0).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/quick-xml/RUSTSEC-2026-0195.md 
new/advisory-db-20260707/crates/quick-xml/RUSTSEC-2026-0195.md
--- old/advisory-db-20260618/crates/quick-xml/RUSTSEC-2026-0195.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/quick-xml/RUSTSEC-2026-0195.md      
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,61 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0195"
+package = "quick-xml"
+date = "2026-06-29"
+url = "https://github.com/tafia/quick-xml/issues/970";
+references = [
+    
"https://github.com/tafia/quick-xml/commit/7ca25266e94987210daa864889ab15c9332c8a2a";,
+]
+categories = ["denial-of-service"]
+keywords = ["xml", "parser", "dos", "memory", "namespace"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.41.0"]
+```
+
+# Unbounded namespace-declaration allocation in `NsReader` enables 
memory-exhaustion denial of service
+
+`NsReader` resolves namespaces by calling `NamespaceResolver::push` for every
+`Start`/`Empty` event *before* the event is returned to the caller. `push`
+iterated all `xmlns` / `xmlns:*` attributes on the start tag and, for each one,
+appended the prefix bytes to an internal buffer and pushed a `NamespaceBinding`
+(32 bytes on 64-bit) to an internal `Vec`, with no upper bound on the number of
+declarations.
+
+## Impact
+
+A start tag with `N` namespace declarations drove roughly `3×` the tag's byte
+size in `NamespaceResolver` heap, allocated *inside* `quick-xml` before the
+`NsReader` consumer ever received the event and could inspect or reject it. A
+consumer that bounds its *input* size therefore still cannot bound this
+allocation: an `M`-byte start tag yields on the order of `3 × M` bytes of
+resolver heap the caller never sees.
+
+On untrusted XML this lets a remote, unauthenticated attacker force large heap
+allocations with a single start tag. With several `NsReader`s running
+concurrently on independent inputs (a common server pattern), the allocations
+stack and can exhaust process memory, causing the operating system to kill the
+process (OOM). This was confirmed against a real-world RPKI relying party 
(NLnet
+Labs Routinator), where concurrent RRDP validation workers parsing a crafted
+`snapshot.xml` exceeded the memory limit and the process was OOM-killed.
+
+## Affected code paths
+
+Consumers using `NsReader` (which always calls `NamespaceResolver::push` before
+yielding `Start`/`Empty`), or calling `NamespaceResolver::push` directly. A 
plain
+`Reader` that does not perform namespace resolution is not affected.
+
+## Remediation
+
+Upgrade to `quick-xml >= 0.41.0`. `NamespaceResolver::push` now rejects a start
+tag that declares more than `DEFAULT_MAX_DECLARATIONS_PER_ELEMENT` (256)
+namespace bindings, returning the new `NamespaceError::TooManyDeclarations`
+instead of allocating without limit. The limit is configurable via
+`NamespaceResolver::set_max_declarations_per_element` (use `usize::MAX` to
+restore the previous unbounded behavior), and `NsReader::resolver_mut()` is
+provided to reach it.
+
+There is no clean workaround for `NsReader` consumers before 0.41.0, as the
+allocation happens inside the reader with no configuration knob to cap it.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/quinn-proto/RUSTSEC-2026-0185.md 
new/advisory-db-20260707/crates/quinn-proto/RUSTSEC-2026-0185.md
--- old/advisory-db-20260618/crates/quinn-proto/RUSTSEC-2026-0185.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/quinn-proto/RUSTSEC-2026-0185.md    
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0185"
+package = "quinn-proto"
+date = "2026-06-22"
+url = "https://github.com/quinn-rs/quinn/pull/2694";
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+keywords = ["oom"]
+aliases = ["GHSA-4w2j-m93h-cj5j"]
+
+[versions]
+patched = [">= 0.11.15"]
+```
+
+#  Remote memory exhaustion in quinn-proto from unbounded out-of-order stream 
reassembly
+
+The `Assembler` component that assembles unordered stream fragments into 
consecutive chunks of the
+stream incurs some overhead for non-contiguous fragments. Readers that read 
from a RecvStream in
+order (through an `AsyncRead` impl for example) will be sensitive to peers 
that send fragments
+while leaving out early parts of the stream, and in particular, fragments with 
many gaps (because
+these cannot be defragmented). In such a scenario, the receiving connection 
suffers from high
+buffer overhead, enabling memory exhaustion.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/rmcp/RUSTSEC-2026-0189.md 
new/advisory-db-20260707/crates/rmcp/RUSTSEC-2026-0189.md
--- old/advisory-db-20260618/crates/rmcp/RUSTSEC-2026-0189.md   1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/rmcp/RUSTSEC-2026-0189.md   2026-07-07 
00:19:41.000000000 +0200
@@ -0,0 +1,51 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0189"
+package = "rmcp"
+date = "2026-04-29"
+url = 
"https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx";
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+keywords = ["dns-rebinding", "mcp", "http"]
+aliases = ["CVE-2026-42559", "GHSA-89vp-x53w-74fx", "GHSA-fvh2-gm75-j4j7"]
+related = ["GHSA-fvh2-gm75-j4j7", "RUSTSEC-2026-0140"]
+references = [
+    "https://github.com/modelcontextprotocol/rust-sdk/pull/764";,
+    "https://github.com/modelcontextprotocol/rust-sdk/issues/815";,
+    "https://github.com/modelcontextprotocol/rust-sdk/issues/822";,
+    
"https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning";,
+]
+
+[versions]
+patched = [">= 1.4.0"]
+```
+
+# DNS rebinding vulnerability in rmcp Streamable HTTP server transport
+
+Prior to version 1.4.0, the `rmcp` crate's Streamable HTTP server transport did
+not validate the incoming `Host` header.
+
+This allowed a malicious public website, via a DNS rebinding attack, to send
+requests to an MCP server running on the victim's loopback or private-network
+interface.
+
+An attacker who convinced a victim to visit a malicious page could enumerate 
and
+invoke tools exposed by a locally running rmcp-based MCP server, read resources
+and prompts, and trigger side effects limited by the tools exposed by that
+server.
+
+Non-HTTP transports such as stdio and child-process transports are not 
affected.
+
+## Patches
+
+The issue was fixed in `rmcp` 1.4.0 by adding default loopback-only host
+allowlist validation for the Streamable HTTP server transport. Incoming HTTP
+requests now validate the `Host` header and return HTTP 403 when the host is 
not
+allowed.
+
+Users should upgrade to `rmcp >= 1.4.0`.
+
+## Workarounds
+
+If upgrading is not possible, place the MCP server behind a reverse proxy
+configured to reject requests whose `Host` header is not one of the expected
+hostnames. Do not bind the MCP server to `0.0.0.0` without such validation.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/solana_rbpf/RUSTSEC-2026-0191.md 
new/advisory-db-20260707/crates/solana_rbpf/RUSTSEC-2026-0191.md
--- old/advisory-db-20260618/crates/solana_rbpf/RUSTSEC-2026-0191.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/solana_rbpf/RUSTSEC-2026-0191.md    
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,43 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0191"
+package = "solana_rbpf"
+date = "2026-05-28"
+url = "https://github.com/solana-labs/rbpf";
+references = [
+    "https://github.com/anza-xyz/sbpf/pull/151";,
+    "https://crates.io/crates/solana-sbpf";,
+]
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["soundness", "pointer-arithmetic", "out-of-bounds"]
+
+[affected.functions]
+"solana_rbpf::vm::EbpfVm::invoke_function" = [">= 0.8.0, <= 0.8.5"]
+
+[versions]
+patched = []
+unaffected = ["< 0.8.0"]
+```
+
+# `EbpfVm::invoke_function` performs out-of-bounds pointer arithmetic
+
+Affected versions of `solana_rbpf` expose the safe method
+`EbpfVm::invoke_function`. This method computes an obfuscated VM pointer by
+casting `self` to `*mut u64` and applying a randomized offset derived from
+`get_runtime_environment_key()`.
+
+The resulting pointer arithmetic is performed with `ptr::offset`, which
+requires the computed pointer to remain within the same allocation. In 
practice,
+the randomized offset can move the pointer far outside the allocation
+containing the `EbpfVm`, causing undefined behavior before the supplied builtin
+function is invoked.
+
+## Unmaintained
+
+The upstream `solana_rbpf` repository is archived, and no patched version of
+this crate is currently available.
+
+Users should migrate to the maintained 
[`solana-sbpf`](https://crates.io/crates/solana-sbpf)
+crate. The issue has been fixed there in
+[`anza-xyz/sbpf#151`](https://github.com/anza-xyz/sbpf/pull/151).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/stackvector/RUSTSEC-2025-0166.md 
new/advisory-db-20260707/crates/stackvector/RUSTSEC-2025-0166.md
--- old/advisory-db-20260618/crates/stackvector/RUSTSEC-2025-0166.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/stackvector/RUSTSEC-2025-0166.md    
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0166"
+package = "stackvector"
+date = "2025-10-23"
+url = "https://github.com/Alexhuszagh/rust-stackvector/issues/3";
+references = [
+    "https://github.com/Alexhuszagh/rust-stackvector/pull/6";,
+    
"https://github.com/Alexhuszagh/rust-stackvector/commit/02b947afdeeb1be95ec0888354aa76afdd9d0357";,
+    "https://github.com/Alexhuszagh/rust-stackvector/issues/5";,
+]
+informational = "unsound"
+
+[versions]
+patched = [">= 2.0.0"]
+```
+
+# Multiple soundness issues in `stackvector`
+
+Affected versions of `stackvector` contained multiple soundness issues that 
could allow safe Rust code to trigger undefined behavior.
+
+One issue was that `StackVec::length` was exposed as a public field. Safe Rust 
code could set `length` to a value larger than the backing array capacity. 
Other safe methods, including `remove`, `pop`, and `truncate`, relied on 
`length` before performing unsafe pointer operations (`ptr::read`, `ptr::copy`, 
`offset`/`add`). If `length` was corrupted by safe code, these methods could 
perform out-of-bounds pointer arithmetic, reads, writes, or copies.
+
+The upstream maintainer also identified additional soundness issues, including 
the use of `mem::uninitialized` in `StackVec::from_vec_unchecked`, which was 
reachable through `from_vec`, and Miri violations related to `MaybeUninit` 
usage.
+
+Version `2.0.0` was released to fix the known soundness issues.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/structopt/RUSTSEC-2022-0104.md 
new/advisory-db-20260707/crates/structopt/RUSTSEC-2022-0104.md
--- old/advisory-db-20260618/crates/structopt/RUSTSEC-2022-0104.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/structopt/RUSTSEC-2022-0104.md      
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0104"
+package = "structopt"
+date = "2022-02-08"
+url = "https://github.com/TeXitoi/structopt#maintenance";
+references = ["https://github.com/TeXitoi/structopt/issues/525";]
+informational = "unmaintained"
+related = []
+license = "CC0-1.0"
+
+[versions]
+patched = []
+```
+
+# `structopt` is in maintenance mode
+
+`structopt` has been in maintenance mode, with no new development planned, 
since at least February of 2022.
+
+The status of `structopt` is discussed in a [pinned 
issue](https://github.com/TeXitoi/structopt/issues/525).
+
+## Recommended alternative
+
+The `structopt` derive wrapper was incorporated into `clap` v3. There is [a 
migration guide][clap-migration] for switching from `structopt` to `clap`.
+
+[clap-migration]: 
https://github.com/clap-rs/clap/blob/v4.6.0/CHANGELOG.md#migrating-1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/tree-sitter-perl-next/RUSTSEC-2026-0203.md 
new/advisory-db-20260707/crates/tree-sitter-perl-next/RUSTSEC-2026-0203.md
--- old/advisory-db-20260618/crates/tree-sitter-perl-next/RUSTSEC-2026-0203.md  
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/tree-sitter-perl-next/RUSTSEC-2026-0203.md  
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0203"
+package = "tree-sitter-perl-next"
+date = "2026-07-06"
+url = "https://github.com/PRRPCHT/tree-sitter-perl-next";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `tree-sitter-perl-next` is unmaintained
+
+The author of `tree-sitter-perl-next` has stated that the crate is 
unmaintained and will not receive further fixes (see the repo's readme).
+
+## Alternative(s)
+
+- [`ts-parser-perl `](https://crates.io/crates/ts-parser-perl), an actively 
maintained tree-sitter Perl grammar that tree-sitter-perl-next initially forked.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/ttf-parser/RUSTSEC-2026-0192.md 
new/advisory-db-20260707/crates/ttf-parser/RUSTSEC-2026-0192.md
--- old/advisory-db-20260618/crates/ttf-parser/RUSTSEC-2026-0192.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/ttf-parser/RUSTSEC-2026-0192.md     
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0192"
+package = "ttf-parser"
+date = "2026-06-28"
+url = "https://github.com/harfbuzz/ttf-parser/issues/217";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `ttf-parser` is unmaintained
+
+The author of `ttf-parser` has stated that the crate is unmaintained and will 
not receive further fixes (see the referenced issue).
+
+## Alternative(s)
+
+- [`skrifa`](https://crates.io/crates/skrifa), an actively maintained TrueType 
and OpenType font parsing crate, part of the Google Fonts "oxidize" 
(`fontations`) project.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20260618/crates/wasmtime-wasi/RUSTSEC-2026-0188.md 
new/advisory-db-20260707/crates/wasmtime-wasi/RUSTSEC-2026-0188.md
--- old/advisory-db-20260618/crates/wasmtime-wasi/RUSTSEC-2026-0188.md  
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/wasmtime-wasi/RUSTSEC-2026-0188.md  
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0188"
+package = "wasmtime-wasi"
+date = "2026-06-24"
+url = 
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4ch3-9j33-3pmj";
+categories = []
+keywords = []
+aliases = ["GHSA-4ch3-9j33-3pmj"]
+license = "CC0-1.0"
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"
+
+[versions]
+patched = [">= 46.0.1", ">= 45.0.3, < 46.0.0", ">= 36.0.12, < 37.0.0", ">= 
24.0.11, < 25.0.0"]
+unaffected = []
+```
+
+# WASI hard links and renames bypass wasmtime-wasi's FilePerms for destination
+
+This is an entry in the RustSec database for the Wasmtime security advisory
+located at
+https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4ch3-9j33-3pmj
+For more information see the GitHub-hosted security advisory.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20260618/rust/cargo/CVE-2019-16760.md 
new/advisory-db-20260707/rust/cargo/CVE-2019-16760.md
--- old/advisory-db-20260618/rust/cargo/CVE-2019-16760.md       2026-06-17 
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/rust/cargo/CVE-2019-16760.md       2026-07-07 
00:19:41.000000000 +0200
@@ -111,5 +111,5 @@
 [1]: 
https://blog.rust-lang.org/2018/12/06/Rust-1.31-and-rust-2018.html#cargo-features
 [2]: 
https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#renaming-dependencies-in-cargotoml
 [3]: https://github.com/rust-lang/cargo/pull/4953
-[4]: https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992
+[4]: https://gist.github.com/emilyalbini/0d293b24a44babbeb6187e06eebd4992
 [5]: https://www.rust-lang.org/policies/security

Reply via email to