Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2026-07-07 21:03:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Tue Jul 7 21:03:48 2026 rev:55 rq:1364146 version:20260707
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2026-06-18 18:42:42.730261977 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1982/cargo-audit-advisory-db.changes
2026-07-07 21:06:23.228883358 +0200
@@ -1,0 +2,15 @@
+Tue Jul 07 04:09:23 UTC 2026 - [email protected]
+
+- Update to version 20260707:
+ * Assigned RUSTSEC-2026-0204 to crossbeam-epoch
+ * Add advisory for invalid pointer dereference in fmt::Pointer impl for
crossbeam_epoch::{Atomic,Shared}
+ * Bump actions/cache from 5.0.5 to 6.1.0
+ * Assigned RUSTSEC-2026-0203 to tree-sitter-perl-next
+ * Add tree-sitter-perl-next unmaintained advisory (#3039)
+ * Assigned RUSTSEC-2026-0202 to cxx
+ * Add advisory for cxx let_cxx_string unsoundness (#3037)
+ * Assigned RUSTSEC-2026-0201 to fulgur
+ * Add advisory for fulgur: blank-page DoS via non-painting replaced elements
+ * Assigned RUSTSEC-2026-0200 to fulgur
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20260618.tar.xz
New:
----
advisory-db-20260707.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.dkvNRq/_old 2026-07-07 21:06:23.984909822 +0200
+++ /var/tmp/diff_new_pack.dkvNRq/_new 2026-07-07 21:06:23.984909822 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20260618
+Version: 20260707
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.dkvNRq/_old 2026-07-07 21:06:24.028911363 +0200
+++ /var/tmp/diff_new_pack.dkvNRq/_new 2026-07-07 21:06:24.036911643 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20260618</param>
+ <param name="version">20260707</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20260618.tar.xz -> advisory-db-20260707.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260618/.duplicate-id-guard
new/advisory-db-20260707/.duplicate-id-guard
--- old/advisory-db-20260618/.duplicate-id-guard 2026-06-17
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.duplicate-id-guard 2026-07-07
00:19:41.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-ce908ba0f99bbc5d19908680c6393bf7fdb9644c0b9771f658809f753f55baaa -
+cb6b18bc8f1ac5859aefcd4938ed9bd890f6f4f3ea4eb4314bed1cec97f8669c -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/.github/workflows/assign-ids.yml
new/advisory-db-20260707/.github/workflows/assign-ids.yml
--- old/advisory-db-20260618/.github/workflows/assign-ids.yml 2026-06-17
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/assign-ids.yml 2026-07-07
00:19:41.000000000 +0200
@@ -14,20 +14,20 @@
contents: write # for create-pull-request
pull-requests: write # for create-pull-request
steps:
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #
v6.0.3
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
persist-credentials: false
- name: Cache cargo bin
id: admin-cache
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/.cargo/bin
- key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+ key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
- name: Assign IDs
id: assign
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/.github/workflows/export-osv.yml
new/advisory-db-20260707/.github/workflows/export-osv.yml
--- old/advisory-db-20260618/.github/workflows/export-osv.yml 2026-06-17
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/export-osv.yml 2026-07-07
00:19:41.000000000 +0200
@@ -12,20 +12,20 @@
permissions:
contents: write # needed for pushing back to the repo
steps:
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #
v6.0.3
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
ref: osv
persist-credentials: true # persists the token for git push below
- - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
id: admin-cache
with:
path: ~/.cargo/bin
- key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+ key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
- run: |
mkdir -p crates
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/.github/workflows/publish-web.yml
new/advisory-db-20260707/.github/workflows/publish-web.yml
--- old/advisory-db-20260618/.github/workflows/publish-web.yml 2026-06-17
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/publish-web.yml 2026-07-07
00:19:41.000000000 +0200
@@ -12,20 +12,20 @@
permissions:
contents: write # needed for pushing back to the repo
steps:
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #
v6.0.3
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
ref: gh-pages
persist-credentials: true # persists the token for git push below
- - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
id: admin-cache
with:
path: ~/.cargo/bin
- key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+ key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
- run: |
rustsec-admin web .
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260618/.github/workflows/sync-ids.yml
new/advisory-db-20260707/.github/workflows/sync-ids.yml
--- old/advisory-db-20260618/.github/workflows/sync-ids.yml 2026-06-17
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/sync-ids.yml 2026-07-07
00:19:41.000000000 +0200
@@ -16,20 +16,20 @@
contents: write # for create-pull-request
pull-requests: write # for create-pull-request
steps:
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #
v6.0.3
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
persist-credentials: false
- name: Cache cargo bin
id: admin-cache
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/.cargo/bin
- key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+ key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
- name: Synchronize IDs
id: sync_ids
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260618/.github/workflows/validate.yml
new/advisory-db-20260707/.github/workflows/validate.yml
--- old/advisory-db-20260618/.github/workflows/validate.yml 2026-06-17
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/.github/workflows/validate.yml 2026-07-07
00:19:41.000000000 +0200
@@ -12,20 +12,20 @@
name: Lint advisories
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #
v6.0.3
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
persist-credentials: false
- name: Cache cargo bin
id: admin-cache
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/.cargo/bin
- key: rustsec-admin-0ca9edd637bced72d435a282199af47e727276d3
+ key: rustsec-admin-eee63cf3c3916a9b8305678dfb91206acd9e67eb
- name: Install rustsec-admin
if: steps.admin-cache.outputs.cache-hit != 'true'
- run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev 0ca9edd637bced72d435a282199af47e727276d3
+ run: cargo install --git https://github.com/rustsec/rustsec
rustsec-admin --rev eee63cf3c3916a9b8305678dfb91206acd9e67eb
- name: Lint advisories
run: rustsec-admin lint
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/ammonia/RUSTSEC-2026-0193.md
new/advisory-db-20260707/crates/ammonia/RUSTSEC-2026-0193.md
--- old/advisory-db-20260618/crates/ammonia/RUSTSEC-2026-0193.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/ammonia/RUSTSEC-2026-0193.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,51 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0193"
+package = "ammonia"
+date = "2026-06-30"
+categories = ["format-injection"]
+keywords = ["html", "xss"]
+aliases = ["GHSA-9jh8-v38h-cvhr"]
+
+[versions]
+patched = [">= 4.1.3", ">= 4.0.2, < 4.1.0", ">= 3.3.2, < 4.0.0"]
+```
+
+# mXSS in ammonia via MathML `annotation-xml` encoding strip
+
+If a certain set of MathML tags are enabled, an attacker can inject arbitrary
JavaScript code into the user's browser.
+
+The `annotation-xml` tag has slightly different behavior than the other
"integration point"
+tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly
+strip the namespace-incompatible tags.
+
+This vulnerability only has an effect when the `math` and `annotation-xml` tags
+are both enabled, but the `encoding` attribute is disabled, because it relies
+on the following sequence of steps:
+
+1. User writes code like `<math><annotation-xml
encoding="text/html"><gadget></annotation-xml></math>`.
+2. Namespace filtering checks the DOM, and it passes. `<gadget>` is parsed as
HTML.
+3. Attribute filter strips it down to
`<math><annotation-xml><gadget></annotation-xml></math>`. Because the encoding
attribute is gone, `<gadget>` is now parsed as MathML.
+4. The gadget is written in such a way that it exploits the parsing
differences between HTML and MathML.
+
+Additionally, the gadget can only be written using a tag that is parsed as raw
text in HTML.
+These [elements] are:
+
+* title
+* textarea
+* xmp
+* iframe
+* noembed
+* noframes
+* plaintext
+* noscript
+* style
+* script
+
+Applications that do not explicitly allow any of these tags should not be
affected, since none are allowed by default.
+
+[elements]:
https://github.com/servo/html5ever/blob/045a0378f2b0f8d4a350793899cf722a2a9b3d11/html5ever/src/tree_builder/rules.rs
+
+---
+
+**Discovered by:** ivan0912 (YesWeHack) · **Date:** 2026-06-29 · Found via
local differential analysis and source review of ammonia's sanitisation
pipeline; no third-party systems were tested.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/anyhow/RUSTSEC-2026-0190.md
new/advisory-db-20260707/crates/anyhow/RUSTSEC-2026-0190.md
--- old/advisory-db-20260618/crates/anyhow/RUSTSEC-2026-0190.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/anyhow/RUSTSEC-2026-0190.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,70 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0190"
+package = "anyhow"
+date = "2026-06-25"
+url = "https://github.com/dtolnay/anyhow/issues/451"
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["unsound", "downcast_mut"]
+
+[affected.functions]
+"anyhow::Error::downcast_mut" = ["< 1.0.103"]
+
+[versions]
+patched = [">= 1.0.103"]
+```
+
+# Unsoundness in `Error::downcast_mut()`
+
+Affected versions of this crate violate borrow rules, resulting in undefined
behavior, when the user adds context to an error via `Error::context` and then
later calls `Error::downcast_mut` on the returned `Error`.
+
+The flaw was corrected in commit `6e8c000` by revising how the mutable
reference is constructed, avoiding inclusion of a shared reference in the
resulting borrow chain.
+
+## Example
+
+```rust
+use anyhow::Error;
+use std::fmt;
+
+#[derive(Debug)]
+struct ErrorContext(&'static str);
+
+impl fmt::Display for ErrorContext {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ fmt::Display::fmt(&self.0, f)
+ }
+}
+
+fn main() {
+ let mut error = Error::msg("inner error").context(ErrorContext("old
context"));
+ let context: &mut ErrorContext = error.downcast_mut().unwrap();
+ context.0 = "new context";
+ println!("{:?}", error);
+}
+```
+
+## Miri output
+
+```
+error: Undefined Behavior: trying to retag from <1538> for Unique permission
at alloc602[0x38], but that tag only grants SharedReadOnly permission for this
location
+ --> src/ptr.rs:170:18
+ |
+170 | unsafe { &mut *self.ptr.as_ptr() }
+ | ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of
retag at alloc602[0x38..0x48]
+ |
+ = help: this indicates a potential bug in the program: it performed an
invalid operation, but the Stacked Borrows rules it violated are still
experimental
+ = help: see
https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md
for further information
+help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48]
+ --> src/ptr.rs:89:18
+ |
+ 89 | ptr: NonNull::from(ptr),
+ | ^^^^^^^^^^^^^^^^^^
+ = note: stack backtrace:
+ 0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut
+ at src/ptr.rs:170:18: 170:41
+ 1: anyhow::error::<impl
anyhow::Error>::downcast_mut::<ErrorContext>
+ at src/error.rs:560:18: 560:46
+ 2: main
+ at examples/downcast_mut.rs:15:38: 15:58
+```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/bcrypt/RUSTSEC-2026-0199.md
new/advisory-db-20260707/crates/bcrypt/RUSTSEC-2026-0199.md
--- old/advisory-db-20260618/crates/bcrypt/RUSTSEC-2026-0199.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/bcrypt/RUSTSEC-2026-0199.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,74 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0199"
+package = "bcrypt"
+date = "2026-06-20"
+url = "https://github.com/Keats/rust-bcrypt/pull/103"
+references = [
+ "https://github.com/Keats/rust-bcrypt/issues/62",
+ "https://github.com/Keats/rust-bcrypt/pull/95",
+
"https://github.com/Keats/rust-bcrypt/commit/f5f1ee2862c1198a85afe3c2f8cd80835162b7e9",
+]
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+keywords = ["panic", "utf-8", "denial-of-service"]
+
+[versions]
+patched = [">= 0.19.2"]
+unaffected = ["< 0.19.0"]
+```
+
+# Panic in `bcrypt::verify` on non-ASCII hash input
+
+`bcrypt::verify(password, hash)` and `HashParts::from_str(hash)` panic in
+`str::slice_error_fail` when given a 60-byte `&str` containing a multi-byte
+UTF-8 character at certain byte positions.
+
+## Impact
+
+Any Rust code that calls `bcrypt::verify` (or `HashParts::from_str`) with an
+attacker-controlled hash string will panic. The `bcrypt` crate is
+`#![forbid(unsafe_code)]`, so this is limited to a denial-of-service and
+cannot lead to memory corruption.
+
+Realistic attack contexts include:
+
+- Rust authentication services reading hashes from a database that was
+ previously compromised via, e.g., SQL injection. The attacker can then
+ crash the service on every login attempt against the tampered account.
+- CLI tools accepting hashes from stdin or command-line arguments.
+- Password managers or vault services loading hashes from untrusted
+ configuration sources.
+
+## Root cause
+
+`split_hash` performed five `&str` slicing operations on the input hash:
+`&hash[1..3]`, `&hash[4..6]`, `&hash[7..]`, `&salt_and_hash[..22]`, and
+`&salt_and_hash[22..]`. None of these were char-boundary-checked. Any input
+where a multi-byte UTF-8 character spanned one of those byte positions
+caused a panic.
+
+This is a regression of the fix originally shipped in 2021 for issue #62
+(commit `0833509`). The regression was introduced in the parser rewrite in
+PR #95 (commit `e9a8394`, released as 0.19.0).
+
+The pre-existing regression test `does_no_error_on_char_boundary_splitting`
+was not removed, but was silently rendered ineffective by the new
+`bytes[0] != b'$'` guard, which rejected its input earlier and prevented
+it from reaching the buggy slices — leaving CI green through the regression.
+
+## Fix
+
+`split_hash` now rejects any hash string containing non-ASCII bytes up
+front. A valid bcrypt hash is always exactly 60 ASCII bytes, so this
+closes the entire class of byte-boundary panics rather than guarding each
+slice individually.
+
+The fix was merged in PR #103 and released as `bcrypt 0.19.2` on 2026-06-20.
+
+## Downstream impact
+
+`pyca/bcrypt` (which depended on `bcrypt 0.19.1`) is **not** affected. Its
+Python-side wrapper performs its own byte-level salt parsing before
+invoking `bcrypt::hash_with_salt`, and never reaches the buggy code path
+in `split_hash` or `verify`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/cgmath/RUSTSEC-2026-0196.md
new/advisory-db-20260707/crates/cgmath/RUSTSEC-2026-0196.md
--- old/advisory-db-20260618/crates/cgmath/RUSTSEC-2026-0196.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/cgmath/RUSTSEC-2026-0196.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0196"
+package = "cgmath"
+date = "2026-07-01"
+url =
"https://github.com/rustsec/advisory-db/pull/2910#pullrequestreview-4611570365"
+references = ["https://github.com/rustgd/cgmath/issues/565"]
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `cgmath` is unmaintained
+
+The `cgmath` crate is no longer maintained.
+
+Users should consider switching to a maintained alternative.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/cgmath/RUSTSEC-2026-0197.md
new/advisory-db-20260707/crates/cgmath/RUSTSEC-2026-0197.md
--- old/advisory-db-20260618/crates/cgmath/RUSTSEC-2026-0197.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/cgmath/RUSTSEC-2026-0197.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0197"
+package = "cgmath"
+date = "2026-03-11"
+url = "https://github.com/rustgd/cgmath/issues/565"
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["soundness", "undefined-behavior", "aliasing", "stacked-borrows"]
+
+[affected.functions]
+"cgmath::Matrix2::swap_columns" = ["= 0.18.0"]
+"cgmath::Matrix3::swap_columns" = ["= 0.18.0"]
+"cgmath::Matrix4::swap_columns" = ["= 0.18.0"]
+
+[versions]
+patched = []
+```
+
+# `Matrix{2,3,4}::swap_columns` can trigger undefined behavior for identical
indices
+
+The `Matrix2::swap_columns`, `Matrix3::swap_columns`, and
`Matrix4::swap_columns`
+implementations call `ptr::swap(&mut self[a], &mut self[b])`.
+
+When `a == b`, these safe APIs create two mutable references to the same matrix
+column and pass them to `ptr::swap`. This violates Rust's aliasing rules and
can
+trigger undefined behavior. The issue can be reproduced from safe Rust by
calling
+`swap_columns` with identical column indices, for example `m.swap_columns(0,
0)`.
+
+A minimal fix is to return early when the two column indices are equal before
+calling `ptr::swap`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/crossbeam-epoch/RUSTSEC-2026-0204.md
new/advisory-db-20260707/crates/crossbeam-epoch/RUSTSEC-2026-0204.md
--- old/advisory-db-20260618/crates/crossbeam-epoch/RUSTSEC-2026-0204.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/crossbeam-epoch/RUSTSEC-2026-0204.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0204"
+package = "crossbeam-epoch"
+date = "2026-07-06"
+url = "https://github.com/crossbeam-rs/crossbeam/pull/1276"
+keywords = ["NULL-pointer-dereference"]
+aliases = []
+
+[versions]
+patched = [">= 0.9.20"]
+unaffected = ["< 0.9.0"]
+```
+
+# Invalid pointer dereference in `fmt::Pointer` impl for `Atomic` and `Shared`
when the underlying pointer is invalid
+
+Affected versions of `fmt::Display` dereference the underlying pointer. This
causes a invalid pointer dereference e.g., when a pointer created with
`Atomic::null` or `Shared::null`. `fmt::Debug` impls and pre-0.9 `fmt::Display`
impls, which do not dereference pointers, are not affected by this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260618/crates/cxx/RUSTSEC-2026-0202.md
new/advisory-db-20260707/crates/cxx/RUSTSEC-2026-0202.md
--- old/advisory-db-20260618/crates/cxx/RUSTSEC-2026-0202.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/cxx/RUSTSEC-2026-0202.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0202"
+package = "cxx"
+date = "2026-07-05"
+url = "https://github.com/dtolnay/cxx/issues/1729"
+informational = "unsound"
+categories = ["memory-exposure"]
+keywords = ["exception", "unwind"]
+
+[affected]
+#arch = ["x86", "x86_64"]
+#os = ["windows"]
+
+[affected.functions]
+"cxx::let_cxx_string" = ["< 1.0.195"]
+
+[versions]
+patched = [">= 1.0.195"]
+```
+
+# `let_cxx_string!` uses uninitialized value due to exception safety violations
+
+In affected versions of this crate, `let_cxx_string!` is not exception safe.
After creating the `StackString`, if `match $value` panics, the content of
`StackString` is not yet initialized, while the drop implementation of
`StackString` unconditionally deinitializes the content, leading to use of
uninitialized value.
+
+The soundness issue was fixed in version `1.0.195` by moving drop logics to
separate drop guard after initializing the `StackString`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/error-stack/RUSTSEC-2026-0198.md
new/advisory-db-20260707/crates/error-stack/RUSTSEC-2026-0198.md
--- old/advisory-db-20260618/crates/error-stack/RUSTSEC-2026-0198.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/error-stack/RUSTSEC-2026-0198.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,34 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0198"
+package = "error-stack"
+date = "2026-07-03"
+url = "https://github.com/hashintel/hash/issues/8945"
+references = ["https://github.com/hashintel/hash/pull/8946"]
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["aliasing"]
+
+[versions]
+patched = [">= 0.8.0"]
+
+[affected]
+functions = { "error_stack::Report::frames_mut" = ["*"] }
+```
+
+# `Report::frames_mut` allows aliased mutable references
+
+Affected versions of this crate return an iterator from
+`Report::frames_mut` whose `&mut Frame` items have lifetimes independent
+of the iterator, so all yielded references can be held at the same time.
+A yielded frame's sources are also yielded by the iterator and reachable
+through the parent frame via `Frame::sources_mut`, allowing safe code to
+obtain two live mutable references to the same frame. This is undefined
+behavior and can be used to cause a segmentation fault (see reproducer in
+the linked issue). Versions 0.1.0 and 0.1.1 are affected through
+`Frame::source_mut` instead of `Frame::sources_mut`.
+
+The flaw is fixed in 0.8.0 by replacing the iterator with internal
+iteration: `Report::frames_mut` now takes a visitor closure, so mutable
+access to a frame is scoped and cannot overlap with access to its
+sources.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/fulgur/RUSTSEC-2026-0200.md
new/advisory-db-20260707/crates/fulgur/RUSTSEC-2026-0200.md
--- old/advisory-db-20260618/crates/fulgur/RUSTSEC-2026-0200.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/fulgur/RUSTSEC-2026-0200.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,48 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0200"
+package = "fulgur"
+date = "2026-07-05"
+url =
"https://github.com/fulgur-rs/fulgur/security/advisories/GHSA-j5cx-ph8g-95v3"
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+keywords = ["dos", "pagination", "pdf"]
+aliases = ["GHSA-j5cx-ph8g-95v3"]
+
+[versions]
+patched = [">= 0.19.0"]
+```
+
+# Unbounded page slicing from attacker-controlled CSS height causes denial of
service
+
+`fulgur` converts untrusted HTML/CSS into PDF, commonly on a server that
+processes input supplied by many tenants. In versions prior to 0.19.0, a
+body-direct child whose CSS-resolved height greatly exceeds the page height was
+sliced into one fragment per page with no upper bound.
+
+The height is taken directly from attacker-controlled HTML/CSS (`height`, `vh`
+units), so a few bytes such as `<div style="height:99999999px"></div>` forced
on
+the order of 125,000 page fragments. The pagination code then allocates
+`vec![Vec::new(); page_count]` and runs a per-page render loop, resulting in
CPU
+and memory exhaustion. A non-finite height (one that resolves to `+inf`)
+additionally made the slicing loop's `remaining -= last_slice_h` decrement
never
+terminate, causing an infinite loop.
+
+An attacker able to submit HTML/CSS to a fulgur-based conversion service can
+trigger this with a trivially small payload, denying service to the host and
any
+co-tenants.
+
+Fixed in 0.19.0: a `MAX_PAGES` cap bounds the slice loop — halting it even for
a
+`+inf` height — and non-finite layout heights are sanitized so they can no
+longer drive the loop.
+
+## Attack Vector rationale
+
+`fulgur` performs no network I/O of its own; it renders HTML/CSS handed to it
by
+the embedding application. This advisory scores the crate independent of any
+specific adopting program, so per the CVSS v3.1 User Guide §3.7 the Attack
+Vector is assessed as Network for the reasonable worst-case deployment — a
+network-facing service that renders untrusted HTML without user interaction. A
+concrete system that receives the HTML in one component and passes it to fulgur
+in a separate component may assess a lower environmental Attack Vector (Local,
+per §3.10).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/fulgur/RUSTSEC-2026-0201.md
new/advisory-db-20260707/crates/fulgur/RUSTSEC-2026-0201.md
--- old/advisory-db-20260618/crates/fulgur/RUSTSEC-2026-0201.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/fulgur/RUSTSEC-2026-0201.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,53 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0201"
+package = "fulgur"
+date = "2026-07-05"
+url =
"https://github.com/fulgur-rs/fulgur/security/advisories/GHSA-4rf6-qx84-q9fv"
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+keywords = ["dos", "pagination", "pdf"]
+aliases = ["GHSA-4rf6-qx84-q9fv"]
+
+[versions]
+patched = [">= 0.26.0"]
+```
+
+# Non-painting replaced elements amplify to thousands of blank PDF pages
(denial of service)
+
+`fulgur` converts untrusted HTML/CSS into PDF, commonly on a server that
+processes input supplied by many tenants. In versions prior to 0.26.0, a
+childless box that resolves to a pathologically tall height was amplified into
+thousands of blank PDF pages, even when it produces no visible output.
+
+The childless-collapse defense that would normally collapse such a box was
gated
+by a tag-only "replaced content" check, so any non-painting replaced element
+bypassed it, including an unresolved `src` (the common offline-first case), a
+`visibility:hidden` image, an undecodable image format, and an empty `<svg>`. A
+trailing-sibling variant of the same gap was also open.
+
+A few bytes of HTML therefore amplified into roughly `MAX_PAGES` (10,000) blank
+pages; the renderer allocates and runs a per-page loop over them, producing CPU
+and memory exhaustion. An attacker able to submit HTML to a fulgur-based
+conversion service can trigger this with a trivially small payload, denying
+service to the host and any co-tenants.
+
+Fixed in 0.26.0: the tag-only gate was removed so that any pathologically tall
+childless box collapses regardless of whether it is a replaced element, closing
+the missing-`src`, `visibility:hidden`, undecodable-format, and empty-`<svg>`
+vectors along with the trailing-sibling variant.
+
+Versions prior to 0.19.0 additionally lacked any page-count cap, allowing an
+unbounded (rather than 10,000-page) variant of this amplification; that earlier
+variant is tracked separately as GHSA-j5cx-ph8g-95v3.
+
+## Attack Vector rationale
+
+`fulgur` performs no network I/O of its own; it renders HTML/CSS handed to it
by
+the embedding application. This advisory scores the crate independent of any
+specific adopting program, so per the CVSS v3.1 User Guide §3.7 the Attack
+Vector is assessed as Network for the reasonable worst-case deployment — a
+network-facing service that renders untrusted HTML without user interaction. A
+concrete system that receives the HTML in one component and passes it to fulgur
+in a separate component may assess a lower environmental Attack Vector (Local,
+per §3.10).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/i_tree/RUSTSEC-2025-0165.md
new/advisory-db-20260707/crates/i_tree/RUSTSEC-2025-0165.md
--- old/advisory-db-20260618/crates/i_tree/RUSTSEC-2025-0165.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/i_tree/RUSTSEC-2025-0165.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0165"
+package = "i_tree"
+date = "2025-07-04"
+url = "https://github.com/iShape-Rust/iTree/issues/1"
+references = [
+
"https://github.com/iShape-Rust/iTree/commit/a948b891cf159233bfed5b16bf185268fd9e1985",
+ "https://github.com/iShape-Rust/iTree/compare/0.9.0...0.10.0",
+]
+informational = "unsound"
+
+[affected.functions]
+"i_tree::tree::Tree::node" = ["< 0.10.0"]
+"i_tree::tree::Tree::mut_node" = ["< 0.10.0"]
+
+[versions]
+patched = [">= 0.10.0"]
+
+```
+
+# i_tree allowed out-of-bounds access through safe public node accessors
+
+Affected versions of `i_tree` exposed safe public `Tree::node` and
`Tree::mut_node` methods in the public `tree` module. These methods accepted an
arbitrary `u32` index and passed it directly to `Vec::get_unchecked` /
`get_unchecked_mut` on the internal node buffer, without validating that the
index was in bounds.
+
+Because these methods were safe and public, a caller could pass an
out-of-bounds index without writing any `unsafe` code, producing an
out-of-bounds shared or mutable reference and triggering undefined behavior.
+
+Starting with `0.10.0` the crate was restructured and these accessors are no
longer reachable from outside the crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/i_triangle/RUSTSEC-2025-0164.md
new/advisory-db-20260707/crates/i_triangle/RUSTSEC-2025-0164.md
--- old/advisory-db-20260618/crates/i_triangle/RUSTSEC-2025-0164.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/i_triangle/RUSTSEC-2025-0164.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0164"
+package = "i_triangle"
+date = "2025-04-24"
+url = "https://github.com/iShape-Rust/iTriangle/issues/4"
+references = [
+
"https://github.com/iShape-Rust/iTriangle/commit/13e0e9f4d5333e3a815191e5f6f402641997f91b"
+]
+informational = "unsound"
+
+[affected.functions]
+"i_triangle::delaunay::triangle::DTriangle::neighbor_by_order" = [">= 0.24.0",
"< 0.29.0"]
+"i_triangle::delaunay::triangle::DTriangle::vertex_by_order" = [">= 0.24.0",
"< 0.29.0"]
+
+[versions]
+patched = [">= 0.29.0"]
+```
+
+# `DTriangle` accessors may read out of bounds in affected versions
+
+In affected versions, `DTriangle::neighbor_by_order` and
`DTriangle::vertex_by_order` were public safe functions that accepted an
+arbitrary `order` value. These functions used `order` to access fixed-size
internal arrays with `get_unchecked`, without checking whether `order` was
within bounds. Calling these methods with an out-of-bounds `order` could cause
an out-of-bounds read from safe Rust code. This made the old APIs unsound,
since safe callers could trigger undefined behavior without using `unsafe`.
+
+The issue was fixed in version `0.29.0` as part of a broader rewrite that
replaced the old triangle implementation with `IntTriangle` and removed the
affected accessor methods.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/jxl-grid/RUSTSEC-2026-0151.md
new/advisory-db-20260707/crates/jxl-grid/RUSTSEC-2026-0151.md
--- old/advisory-db-20260618/crates/jxl-grid/RUSTSEC-2026-0151.md
2026-06-17 15:50:20.000000000 +0200
+++ new/advisory-db-20260707/crates/jxl-grid/RUSTSEC-2026-0151.md
2026-07-07 00:19:41.000000000 +0200
@@ -5,7 +5,7 @@
date = "2026-05-29"
url =
"https://github.com/tirr-c/jxl-oxide/security/advisories/GHSA-5pmv-rx8r-wmv5"
categories = ["memory-corruption"]
-aliases = ["GHSA-5pmv-rx8r-wmv5"]
+aliases = ["CVE-2026-52834", "GHSA-5pmv-rx8r-wmv5"]
[versions]
patched = [">= 0.6.2"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/lopdf/RUSTSEC-2026-0187.md
new/advisory-db-20260707/crates/lopdf/RUSTSEC-2026-0187.md
--- old/advisory-db-20260618/crates/lopdf/RUSTSEC-2026-0187.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/lopdf/RUSTSEC-2026-0187.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,36 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0187"
+package = "lopdf"
+date = "2026-06-21"
+categories = ["denial-of-service"]
+keywords = ["dos", "stack-overflow", "recursion", "untrusted-input", "pdf"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+references = ["https://github.com/J-F-Liu/lopdf/issues/502",
"https://github.com/J-F-Liu/lopdf/pull/503",
"https://github.com/J-F-Liu/lopdf/commit/c755394"]
+
+[versions]
+patched = [">= 0.42.0"]
+```
+
+# Stack overflow in lopdf via deeply nested PDF objects
+
+`lopdf::Document::load_mem` (and the other `load*` entry points) parses nested
PDF arrays and dictionaries with unbounded recursion. A small crafted PDF whose
Catalog contains a deeply nested array (`/X [[[ … ]]]`, on the order of 10,000
levels) exhausts the call stack and aborts the process with `SIGABRT`.
+
+Because this is a stack-overflow abort rather than a `panic!`, it cannot be
caught with `catch_unwind`: any service that parses untrusted PDF input with
lopdf can be crashed by a ~21 KB file, resulting in a denial of service.
+
+Confirmed on lopdf 0.41.0 and earlier; fixed in 0.42.0. Default configuration,
no features changed.
+
+## Proof of concept
+
+```rust
+fn main() {
+ let bytes = std::fs::read("poc.pdf").unwrap(); // ~10,380-deep nested
array in the Catalog
+ let _ = lopdf::Document::load_mem(&bytes); // stack overflow -> SIGABRT
+}
+```
+
+An equivalent PoC is a minimal PDF whose Catalog `/X` value is `"[" * 10380 +
"]" * 10380`.
+
+## Suggested fix
+
+Enforce a maximum object-nesting depth in the parser and return an `Err`
instead of recursing without bound.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/memmap2/RUSTSEC-2026-0186.md
new/advisory-db-20260707/crates/memmap2/RUSTSEC-2026-0186.md
--- old/advisory-db-20260618/crates/memmap2/RUSTSEC-2026-0186.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/memmap2/RUSTSEC-2026-0186.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,40 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0186"
+package = "memmap2"
+date = "2026-06-20"
+url = "https://github.com/RazrFalcon/memmap2-rs/issues/169"
+references = ["https://github.com/RazrFalcon/memmap2-rs/pull/170"]
+informational = "unsound"
+keywords = ["pointer-arithmetic", "out-of-bounds"]
+
+[affected.functions]
+"memmap2::Mmap::advise_range" = [">= 0.5.9","< 0.9.11"]
+"memmap2::Mmap::unchecked_advise_range" = [">= 0.8.0","< 0.9.11"]
+"memmap2::MmapMut::advise_range" = [">= 0.5.9","< 0.9.11"]
+"memmap2::MmapMut::flush_async_range" = ["< 0.9.11"]
+"memmap2::MmapMut::flush_range" = ["< 0.9.11"]
+"memmap2::MmapMut::unchecked_advise_range" = [">= 0.8.0","< 0.9.11"]
+
+[versions]
+patched = [">= 0.9.11"]
+```
+
+# Unchecked pointer offset in crate `memmap2`
+
+Affected versionf of `memmap2` did not perform enough validation on the
`offset` and `len` parameters of
+`Mmap::[unchecked_]advise_range()`,
+`MmapMut::[unchecked_]advise_ranage()`
+and `MmapMut::flush[_async]_range()`.
+
+This can cause undefined behavior due to invalid values being passed to
[`pointer::offset()`] and [`pointer::add()`]
+when passing an out-of-bounds range to any of the affected functions.
+
+The flaw was corrected in commit [`cee7cf0`] and released in version `0.9.11`.
+
+The invalid pointer is not dereferenced,
+but it is passed to the `madvise` and `msync` syscalls and their Windows
equivalents.
+
+[`pointer::offset()`]:
https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset-1
+[`pointer::add()`]:
https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.add-1
+[`cee7cf0`]
https://github.com/RazrFalcon/memmap2-rs/pull/170/changes/cee7cf03a9ee095982a3c37b7aac8e3f68f1a00c
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/quick-xml/RUSTSEC-2026-0194.md
new/advisory-db-20260707/crates/quick-xml/RUSTSEC-2026-0194.md
--- old/advisory-db-20260618/crates/quick-xml/RUSTSEC-2026-0194.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/quick-xml/RUSTSEC-2026-0194.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,74 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0194"
+package = "quick-xml"
+date = "2026-06-29"
+url = "https://github.com/tafia/quick-xml/issues/969"
+references = [
+ "https://github.com/tafia/quick-xml/pull/971",
+
"https://github.com/tafia/quick-xml/commit/07f3db8343cf152f5bc3483ef5b3164582489bea",
+]
+categories = ["denial-of-service"]
+keywords = ["xml", "parser", "dos", "algorithmic-complexity", "quadratic"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.41.0"]
+```
+
+# Quadratic run time when checking a start tag for duplicate attribute names
+
+`BytesStart::attributes()` returns an `Attributes` iterator which, by default
+(`with_checks(true)`), rejects a start tag that repeats an attribute name. For
+each attribute yielded, the iterator compared the new name against every name
+seen so far in the same tag using a linear scan, so a start tag with `N`
+distinct attribute names cost `O(N²)` byte comparisons. There was no bound on
+`N` other than the size of the buffered start tag.
+
+## Impact
+
+Any code that parses untrusted XML and iterates a start tag's attributes with
+the default duplicate check enabled can be made to spend CPU time quadratic in
+the number of attributes on a single tag. Because the check is pure computation
+with no `.await`/I/O, an I/O-based timeout on the consumer (for example a read
+or request timeout) cannot interrupt it while it runs.
+
+Measured cost of a single start tag, release build:
+
+| Attributes on one tag | Time |
+|---|---|
+| 80,000 | ~6 s |
+| 800,000 | ~10 min |
+
+The cost grows with the square of the attribute count, so a start tag of a few
+tens of megabytes can stall a parsing thread for hours. No memory is exhausted
+and the parser does not crash; the effect is CPU exhaustion on the thread doing
+the parsing: a single crafted start tag can pin a CPU core for minutes to
hours,
+denying service to that worker. A deployment that places a wall-clock bound on
+parsing, or confines it to a non-critical thread, may consider the availability
+impact lower.
+
+## Affected code paths
+
+* `BytesStart::attributes()` / `Attributes` iterated with checks enabled (the
+ default), and `BytesStart::try_get_attribute`.
+* `NsReader`, which resolves namespaces by iterating a tag's attributes and so
+ reaches the same check internally.
+
+Consumers that iterate attributes with `.attributes().with_checks(false)` and
do
+not use `NsReader` are not affected.
+
+This was reported as reachable by a remote, unauthenticated attacker in a
+real-world RPKI relying party (NLnet Labs Routinator) via a crafted RRDP
+`snapshot.xml`.
+
+## Remediation
+
+Upgrade to `quick-xml >= 0.41.0`, where the duplicate check keeps the linear
+scan for start tags with a small number of attributes and switches to an `O(1)`
+hash pre-filter above a threshold, making the whole tag `O(N)`. The reported
+`AttrError::Duplicated` positions are unchanged.
+
+If upgrading is not possible and duplicate-name detection is not required,
+disable it with `.attributes().with_checks(false)` (this does not help
+`NsReader` consumers, which have no equivalent opt-out before 0.41.0).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/quick-xml/RUSTSEC-2026-0195.md
new/advisory-db-20260707/crates/quick-xml/RUSTSEC-2026-0195.md
--- old/advisory-db-20260618/crates/quick-xml/RUSTSEC-2026-0195.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/quick-xml/RUSTSEC-2026-0195.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,61 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0195"
+package = "quick-xml"
+date = "2026-06-29"
+url = "https://github.com/tafia/quick-xml/issues/970"
+references = [
+
"https://github.com/tafia/quick-xml/commit/7ca25266e94987210daa864889ab15c9332c8a2a",
+]
+categories = ["denial-of-service"]
+keywords = ["xml", "parser", "dos", "memory", "namespace"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.41.0"]
+```
+
+# Unbounded namespace-declaration allocation in `NsReader` enables
memory-exhaustion denial of service
+
+`NsReader` resolves namespaces by calling `NamespaceResolver::push` for every
+`Start`/`Empty` event *before* the event is returned to the caller. `push`
+iterated all `xmlns` / `xmlns:*` attributes on the start tag and, for each one,
+appended the prefix bytes to an internal buffer and pushed a `NamespaceBinding`
+(32 bytes on 64-bit) to an internal `Vec`, with no upper bound on the number of
+declarations.
+
+## Impact
+
+A start tag with `N` namespace declarations drove roughly `3×` the tag's byte
+size in `NamespaceResolver` heap, allocated *inside* `quick-xml` before the
+`NsReader` consumer ever received the event and could inspect or reject it. A
+consumer that bounds its *input* size therefore still cannot bound this
+allocation: an `M`-byte start tag yields on the order of `3 × M` bytes of
+resolver heap the caller never sees.
+
+On untrusted XML this lets a remote, unauthenticated attacker force large heap
+allocations with a single start tag. With several `NsReader`s running
+concurrently on independent inputs (a common server pattern), the allocations
+stack and can exhaust process memory, causing the operating system to kill the
+process (OOM). This was confirmed against a real-world RPKI relying party
(NLnet
+Labs Routinator), where concurrent RRDP validation workers parsing a crafted
+`snapshot.xml` exceeded the memory limit and the process was OOM-killed.
+
+## Affected code paths
+
+Consumers using `NsReader` (which always calls `NamespaceResolver::push` before
+yielding `Start`/`Empty`), or calling `NamespaceResolver::push` directly. A
plain
+`Reader` that does not perform namespace resolution is not affected.
+
+## Remediation
+
+Upgrade to `quick-xml >= 0.41.0`. `NamespaceResolver::push` now rejects a start
+tag that declares more than `DEFAULT_MAX_DECLARATIONS_PER_ELEMENT` (256)
+namespace bindings, returning the new `NamespaceError::TooManyDeclarations`
+instead of allocating without limit. The limit is configurable via
+`NamespaceResolver::set_max_declarations_per_element` (use `usize::MAX` to
+restore the previous unbounded behavior), and `NsReader::resolver_mut()` is
+provided to reach it.
+
+There is no clean workaround for `NsReader` consumers before 0.41.0, as the
+allocation happens inside the reader with no configuration knob to cap it.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/quinn-proto/RUSTSEC-2026-0185.md
new/advisory-db-20260707/crates/quinn-proto/RUSTSEC-2026-0185.md
--- old/advisory-db-20260618/crates/quinn-proto/RUSTSEC-2026-0185.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/quinn-proto/RUSTSEC-2026-0185.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0185"
+package = "quinn-proto"
+date = "2026-06-22"
+url = "https://github.com/quinn-rs/quinn/pull/2694"
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+keywords = ["oom"]
+aliases = ["GHSA-4w2j-m93h-cj5j"]
+
+[versions]
+patched = [">= 0.11.15"]
+```
+
+# Remote memory exhaustion in quinn-proto from unbounded out-of-order stream
reassembly
+
+The `Assembler` component that assembles unordered stream fragments into
consecutive chunks of the
+stream incurs some overhead for non-contiguous fragments. Readers that read
from a RecvStream in
+order (through an `AsyncRead` impl for example) will be sensitive to peers
that send fragments
+while leaving out early parts of the stream, and in particular, fragments with
many gaps (because
+these cannot be defragmented). In such a scenario, the receiving connection
suffers from high
+buffer overhead, enabling memory exhaustion.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/rmcp/RUSTSEC-2026-0189.md
new/advisory-db-20260707/crates/rmcp/RUSTSEC-2026-0189.md
--- old/advisory-db-20260618/crates/rmcp/RUSTSEC-2026-0189.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/rmcp/RUSTSEC-2026-0189.md 2026-07-07
00:19:41.000000000 +0200
@@ -0,0 +1,51 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0189"
+package = "rmcp"
+date = "2026-04-29"
+url =
"https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+keywords = ["dns-rebinding", "mcp", "http"]
+aliases = ["CVE-2026-42559", "GHSA-89vp-x53w-74fx", "GHSA-fvh2-gm75-j4j7"]
+related = ["GHSA-fvh2-gm75-j4j7", "RUSTSEC-2026-0140"]
+references = [
+ "https://github.com/modelcontextprotocol/rust-sdk/pull/764",
+ "https://github.com/modelcontextprotocol/rust-sdk/issues/815",
+ "https://github.com/modelcontextprotocol/rust-sdk/issues/822",
+
"https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning",
+]
+
+[versions]
+patched = [">= 1.4.0"]
+```
+
+# DNS rebinding vulnerability in rmcp Streamable HTTP server transport
+
+Prior to version 1.4.0, the `rmcp` crate's Streamable HTTP server transport did
+not validate the incoming `Host` header.
+
+This allowed a malicious public website, via a DNS rebinding attack, to send
+requests to an MCP server running on the victim's loopback or private-network
+interface.
+
+An attacker who convinced a victim to visit a malicious page could enumerate
and
+invoke tools exposed by a locally running rmcp-based MCP server, read resources
+and prompts, and trigger side effects limited by the tools exposed by that
+server.
+
+Non-HTTP transports such as stdio and child-process transports are not
affected.
+
+## Patches
+
+The issue was fixed in `rmcp` 1.4.0 by adding default loopback-only host
+allowlist validation for the Streamable HTTP server transport. Incoming HTTP
+requests now validate the `Host` header and return HTTP 403 when the host is
not
+allowed.
+
+Users should upgrade to `rmcp >= 1.4.0`.
+
+## Workarounds
+
+If upgrading is not possible, place the MCP server behind a reverse proxy
+configured to reject requests whose `Host` header is not one of the expected
+hostnames. Do not bind the MCP server to `0.0.0.0` without such validation.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/solana_rbpf/RUSTSEC-2026-0191.md
new/advisory-db-20260707/crates/solana_rbpf/RUSTSEC-2026-0191.md
--- old/advisory-db-20260618/crates/solana_rbpf/RUSTSEC-2026-0191.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/solana_rbpf/RUSTSEC-2026-0191.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,43 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0191"
+package = "solana_rbpf"
+date = "2026-05-28"
+url = "https://github.com/solana-labs/rbpf"
+references = [
+ "https://github.com/anza-xyz/sbpf/pull/151",
+ "https://crates.io/crates/solana-sbpf",
+]
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["soundness", "pointer-arithmetic", "out-of-bounds"]
+
+[affected.functions]
+"solana_rbpf::vm::EbpfVm::invoke_function" = [">= 0.8.0, <= 0.8.5"]
+
+[versions]
+patched = []
+unaffected = ["< 0.8.0"]
+```
+
+# `EbpfVm::invoke_function` performs out-of-bounds pointer arithmetic
+
+Affected versions of `solana_rbpf` expose the safe method
+`EbpfVm::invoke_function`. This method computes an obfuscated VM pointer by
+casting `self` to `*mut u64` and applying a randomized offset derived from
+`get_runtime_environment_key()`.
+
+The resulting pointer arithmetic is performed with `ptr::offset`, which
+requires the computed pointer to remain within the same allocation. In
practice,
+the randomized offset can move the pointer far outside the allocation
+containing the `EbpfVm`, causing undefined behavior before the supplied builtin
+function is invoked.
+
+## Unmaintained
+
+The upstream `solana_rbpf` repository is archived, and no patched version of
+this crate is currently available.
+
+Users should migrate to the maintained
[`solana-sbpf`](https://crates.io/crates/solana-sbpf)
+crate. The issue has been fixed there in
+[`anza-xyz/sbpf#151`](https://github.com/anza-xyz/sbpf/pull/151).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/stackvector/RUSTSEC-2025-0166.md
new/advisory-db-20260707/crates/stackvector/RUSTSEC-2025-0166.md
--- old/advisory-db-20260618/crates/stackvector/RUSTSEC-2025-0166.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/stackvector/RUSTSEC-2025-0166.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0166"
+package = "stackvector"
+date = "2025-10-23"
+url = "https://github.com/Alexhuszagh/rust-stackvector/issues/3"
+references = [
+ "https://github.com/Alexhuszagh/rust-stackvector/pull/6",
+
"https://github.com/Alexhuszagh/rust-stackvector/commit/02b947afdeeb1be95ec0888354aa76afdd9d0357",
+ "https://github.com/Alexhuszagh/rust-stackvector/issues/5",
+]
+informational = "unsound"
+
+[versions]
+patched = [">= 2.0.0"]
+```
+
+# Multiple soundness issues in `stackvector`
+
+Affected versions of `stackvector` contained multiple soundness issues that
could allow safe Rust code to trigger undefined behavior.
+
+One issue was that `StackVec::length` was exposed as a public field. Safe Rust
code could set `length` to a value larger than the backing array capacity.
Other safe methods, including `remove`, `pop`, and `truncate`, relied on
`length` before performing unsafe pointer operations (`ptr::read`, `ptr::copy`,
`offset`/`add`). If `length` was corrupted by safe code, these methods could
perform out-of-bounds pointer arithmetic, reads, writes, or copies.
+
+The upstream maintainer also identified additional soundness issues, including
the use of `mem::uninitialized` in `StackVec::from_vec_unchecked`, which was
reachable through `from_vec`, and Miri violations related to `MaybeUninit`
usage.
+
+Version `2.0.0` was released to fix the known soundness issues.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/structopt/RUSTSEC-2022-0104.md
new/advisory-db-20260707/crates/structopt/RUSTSEC-2022-0104.md
--- old/advisory-db-20260618/crates/structopt/RUSTSEC-2022-0104.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/structopt/RUSTSEC-2022-0104.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0104"
+package = "structopt"
+date = "2022-02-08"
+url = "https://github.com/TeXitoi/structopt#maintenance"
+references = ["https://github.com/TeXitoi/structopt/issues/525"]
+informational = "unmaintained"
+related = []
+license = "CC0-1.0"
+
+[versions]
+patched = []
+```
+
+# `structopt` is in maintenance mode
+
+`structopt` has been in maintenance mode, with no new development planned,
since at least February of 2022.
+
+The status of `structopt` is discussed in a [pinned
issue](https://github.com/TeXitoi/structopt/issues/525).
+
+## Recommended alternative
+
+The `structopt` derive wrapper was incorporated into `clap` v3. There is [a
migration guide][clap-migration] for switching from `structopt` to `clap`.
+
+[clap-migration]:
https://github.com/clap-rs/clap/blob/v4.6.0/CHANGELOG.md#migrating-1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/tree-sitter-perl-next/RUSTSEC-2026-0203.md
new/advisory-db-20260707/crates/tree-sitter-perl-next/RUSTSEC-2026-0203.md
--- old/advisory-db-20260618/crates/tree-sitter-perl-next/RUSTSEC-2026-0203.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/tree-sitter-perl-next/RUSTSEC-2026-0203.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0203"
+package = "tree-sitter-perl-next"
+date = "2026-07-06"
+url = "https://github.com/PRRPCHT/tree-sitter-perl-next"
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `tree-sitter-perl-next` is unmaintained
+
+The author of `tree-sitter-perl-next` has stated that the crate is
unmaintained and will not receive further fixes (see the repo's readme).
+
+## Alternative(s)
+
+- [`ts-parser-perl `](https://crates.io/crates/ts-parser-perl), an actively
maintained tree-sitter Perl grammar that tree-sitter-perl-next initially forked.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/ttf-parser/RUSTSEC-2026-0192.md
new/advisory-db-20260707/crates/ttf-parser/RUSTSEC-2026-0192.md
--- old/advisory-db-20260618/crates/ttf-parser/RUSTSEC-2026-0192.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/ttf-parser/RUSTSEC-2026-0192.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0192"
+package = "ttf-parser"
+date = "2026-06-28"
+url = "https://github.com/harfbuzz/ttf-parser/issues/217"
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `ttf-parser` is unmaintained
+
+The author of `ttf-parser` has stated that the crate is unmaintained and will
not receive further fixes (see the referenced issue).
+
+## Alternative(s)
+
+- [`skrifa`](https://crates.io/crates/skrifa), an actively maintained TrueType
and OpenType font parsing crate, part of the Google Fonts "oxidize"
(`fontations`) project.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20260618/crates/wasmtime-wasi/RUSTSEC-2026-0188.md
new/advisory-db-20260707/crates/wasmtime-wasi/RUSTSEC-2026-0188.md
--- old/advisory-db-20260618/crates/wasmtime-wasi/RUSTSEC-2026-0188.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20260707/crates/wasmtime-wasi/RUSTSEC-2026-0188.md
2026-07-07 00:19:41.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2026-0188"
+package = "wasmtime-wasi"
+date = "2026-06-24"
+url =
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4ch3-9j33-3pmj"
+categories = []
+keywords = []
+aliases = ["GHSA-4ch3-9j33-3pmj"]
+license = "CC0-1.0"
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"
+
+[versions]
+patched = [">= 46.0.1", ">= 45.0.3, < 46.0.0", ">= 36.0.12, < 37.0.0", ">=
24.0.11, < 25.0.0"]
+unaffected = []
+```
+
+# WASI hard links and renames bypass wasmtime-wasi's FilePerms for destination
+
+This is an entry in the RustSec database for the Wasmtime security advisory
+located at
+https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4ch3-9j33-3pmj
+For more information see the GitHub-hosted security advisory.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20260618/rust/cargo/CVE-2019-16760.md
new/advisory-db-20260707/rust/cargo/CVE-2019-16760.md
--- old/advisory-db-20260618/rust/cargo/CVE-2019-16760.md 2026-06-17
15:50:20.000000000 +0200
+++ new/advisory-db-20260707/rust/cargo/CVE-2019-16760.md 2026-07-07
00:19:41.000000000 +0200
@@ -111,5 +111,5 @@
[1]:
https://blog.rust-lang.org/2018/12/06/Rust-1.31-and-rust-2018.html#cargo-features
[2]:
https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#renaming-dependencies-in-cargotoml
[3]: https://github.com/rust-lang/cargo/pull/4953
-[4]: https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992
+[4]: https://gist.github.com/emilyalbini/0d293b24a44babbeb6187e06eebd4992
[5]: https://www.rust-lang.org/policies/security