commit cargo-audit-advisory-db for openSUSE:Factory

Source-Sync Fri, 10 Dec 2021 13:02:25 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cargo-audit-advisory-db for 
openSUSE:Factory checked in at 2021-12-10 21:52:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
 and      /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "cargo-audit-advisory-db"

Fri Dec 10 21:52:35 2021 rev:17 rq:938982 version:20211210

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
  2021-12-02 02:10:48.443476411 +0100
+++ 
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.2520/cargo-audit-advisory-db.changes
        2021-12-10 21:53:00.562909131 +0100
@@ -1,0 +2,15 @@
+Fri Dec 10 04:08:52 UTC 2021 - wbr...@suse.de
+
+- Update to version 20211210:
+  * Assigned RUSTSEC-2021-0128 to rusqlite (#1120)
+  * Report `rusqlite` closure lifetime issue (#1117)
+  * correct formatting for lists in RUSTSEC-2021-0127 (#1116)
+  * Assigned RUSTSEC-2021-0127 to serde_cbor (#1115)
+  * serde_cbor is unmaintained (#1114)
+  * Assigned RUSTSEC-2021-0126 to rust-embed (#1113)
+  * Add advisory for rust-embed path traversal (#1112)
+  * Adds maintained alternative to slice_deque (#1109)
+  * Assigned RUSTSEC-2021-0125 to simple_asn1 (#1108)
+  * Security advisory on simple_asn1 version 0.6.0 (#1103)
+
+-------------------------------------------------------------------

Old:
----
  advisory-db-20211130.tar.xz

New:
----
  advisory-db-20211210.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.ux3AJf/_old  2021-12-10 21:53:01.078909360 +0100
+++ /var/tmp/diff_new_pack.ux3AJf/_new  2021-12-10 21:53:01.082909361 +0100
@@ -17,7 +17,7 @@
 
 
 Name:           cargo-audit-advisory-db
-Version:        20211130
+Version:        20211210
 Release:        0
 Summary:        A database of known security issues for Rust depedencies
 License:        CC0-1.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.ux3AJf/_old  2021-12-10 21:53:01.106909372 +0100
+++ /var/tmp/diff_new_pack.ux3AJf/_new  2021-12-10 21:53:01.106909372 +0100
@@ -2,7 +2,7 @@
   <service mode="disabled" name="obs_scm">
     <param name="url">https://github.com/RustSec/advisory-db.git</param>
     <param name="scm">git</param>
-    <param name="version">20211130</param>
+    <param name="version">20211210</param>
     <param name="revision">master</param>
     <param name="changesgenerate">enable</param>
     <param name="changesauthor">wbr...@suse.de</param>

++++++ advisory-db-20211130.tar.xz -> advisory-db-20211210.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20211130/.duplicate-id-guard 
new/advisory-db-20211210/.duplicate-id-guard
--- old/advisory-db-20211130/.duplicate-id-guard        2021-11-29 
19:32:40.000000000 +0100
+++ new/advisory-db-20211210/.duplicate-id-guard        2021-12-09 
01:29:19.000000000 +0100
@@ -1,3 +1,3 @@
 This file causes merge conflicts if two ID assignment jobs run concurrently.
 This prevents duplicate ID assignment due to a race between those jobs.
-e4ababe809f177f95608bb105f034fdf7b1379c3ab84f9083b37f4356f609597  -
+8cf581428cbaf0bc69cff6415fdca50a9c87d873da9736406dab53c8570c904e  -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211130/crates/rusqlite/RUSTSEC-2021-0128.md 
new/advisory-db-20211210/crates/rusqlite/RUSTSEC-2021-0128.md
--- old/advisory-db-20211130/crates/rusqlite/RUSTSEC-2021-0128.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20211210/crates/rusqlite/RUSTSEC-2021-0128.md       
2021-12-09 01:29:19.000000000 +0100
@@ -0,0 +1,42 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0128"
+package = "rusqlite"
+date = "2021-12-07"
+url = "https://github.com/rusqlite/rusqlite/issues/1048";
+categories = ["memory-corruption"]
+keywords = ["use-after-free", "incorrect-lifetime"]
+
+[affected.functions]
+
+# Under `cfg(feature = "functions")`
+"rusqlite::Connection::create_scalar_function" = [">= 0.25.0, < 0.25.4", ">= 
0.26.0, < 0.26.2"]
+"rusqlite::Connection::create_aggregate_function" = [">= 0.25.0, < 0.25.4", 
">= 0.26.0, < 0.26.2"]
+"rusqlite::Connection::create_window_function" = [">= 0.25.0, < 0.25.4", ">= 
0.26.0, < 0.26.2"]
+
+# Under `cfg(feature = "collation")`
+"rusqlite::Connection::create_collation" = [">= 0.25.0, < 0.25.4", ">= 0.26.0, 
< 0.26.2"]
+
+# Under `cfg(feature = "hooks")`
+"rusqlite::Connection::commit_hook" = [">= 0.25.0, < 0.25.4", ">= 0.26.0, < 
0.26.2"]
+"rusqlite::Connection::rollback_hook" = [">= 0.25.0, < 0.25.4", ">= 0.26.0, < 
0.26.2"]
+"rusqlite::Connection::update_hook" = [">= 0.25.0, < 0.25.4", ">= 0.26.0, < 
0.26.2"]
+
+[versions]
+patched = [">= 0.26.2", "0.25.4"]
+unaffected = ["< 0.25.0"]
+```
+
+# Incorrect Lifetime Bounds on Closures in `rusqlite`
+
+The lifetime bound on several closure-accepting `rusqlite` functions 
(specifically, functions which register a callback to be later invoked by 
SQLite) was too relaxed. If a closure referencing borrowed values on the stack 
is was passed to one of these functions, it could allow Rust code to access 
objects on the stack after they have been dropped.
+
+The impacted functions are:
+
+- Under `cfg(feature = "functions")`: `Connection::create_scalar_function`, 
`Connection::create_aggregate_function` and 
`Connection::create_window_function`.
+- Under `cfg(feature = "hooks")`: `Connection::commit_hook`, 
`Connection::rollback_hook` and `Connection::update_hook`.
+- Under `cfg(feature = "collation")`: `Connection::create_collation`.
+
+The issue exists in all `0.25.*` versions prior to `0.25.4`, and all `0.26.*` 
versions prior to 0.26.2 (specifically: `0.25.0`, `0.25.1`, `0.25.2`, `0.25.3`, 
`0.26.0`, and `0.26.1`).
+
+The fix is available in versions `0.26.2` and newer, and also has been 
back-ported to `0.25.4`. As it does not exist in `0.24.*`, all affected 
versions should have an upgrade path to a semver-compatible release.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211130/crates/serde_cbor/RUSTSEC-2021-0127.md 
new/advisory-db-20211210/crates/serde_cbor/RUSTSEC-2021-0127.md
--- old/advisory-db-20211130/crates/serde_cbor/RUSTSEC-2021-0127.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20211210/crates/serde_cbor/RUSTSEC-2021-0127.md     
2021-12-09 01:29:19.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0127"
+package = "serde_cbor"
+date = "2021-08-15"
+url = "https://github.com/pyfisch/cbor";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# serde_cbor is unmaintained
+
+The `serde_cbor` crate is unmaintained. The author has archived the github 
repository.
+
+Alternatives proposed by the author:
+
+ * [`ciborium`](https://crates.io/crates/ciborium)
+ * [`minicbor`](https://crates.io/crates/minicbor)

commit cargo-audit-advisory-db for openSUSE:Factory

Reply via email to