commit cargo-audit-advisory-db for openSUSE:Factory

Source-Sync Thu, 06 Jan 2022 06:51:06 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cargo-audit-advisory-db for 
openSUSE:Factory checked in at 2022-01-06 15:50:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
 and      /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1896 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "cargo-audit-advisory-db"

Thu Jan  6 15:50:48 2022 rev:18 rq:943883 version:20220105

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
  2021-12-10 21:53:00.562909131 +0100
+++ 
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1896/cargo-audit-advisory-db.changes
        2022-01-06 15:50:50.252956571 +0100
@@ -1,0 +2,15 @@
+Wed Jan 05 02:13:49 UTC 2022 - [email protected]
+
+- Update to version 20220105:
+  * Assigned RUSTSEC-2021-0134 to rental (#1137)
+  * Report that rental is no longer maintained (#1136)
+  * Assigned RUSTSEC-2020-0160 to shamir (#1135)
+  * Turn the issue about shamir into an advisory (#1134)
+  * Assigned RUSTSEC-2021-0133 to cargo-download (#1133)
+  * Mark cargo-download unmaintained (#1132)
+  * Mark arrow advisories as fixed in 
https://github.com/apache/arrow-rs/issues/817 (#1131)
+  * Assigned RUSTSEC-2021-0132 to compu-brotli-sys (#1130)
+  * CVE-2020-8927 for compu-brotli-sys (#1129)
+  * Assigned RUSTSEC-2021-0131 to brotli-sys (#1128)
+
+-------------------------------------------------------------------

Old:
----
  advisory-db-20211210.tar.xz

New:
----
  advisory-db-20220105.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.CJAg4v/_old  2022-01-06 15:50:50.940956949 +0100
+++ /var/tmp/diff_new_pack.CJAg4v/_new  2022-01-06 15:50:50.944956950 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package cargo-audit-advisory-db
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           cargo-audit-advisory-db
-Version:        20211210
+Version:        20220105
 Release:        0
 Summary:        A database of known security issues for Rust depedencies
 License:        CC0-1.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.CJAg4v/_old  2022-01-06 15:50:50.972956966 +0100
+++ /var/tmp/diff_new_pack.CJAg4v/_new  2022-01-06 15:50:50.976956968 +0100
@@ -2,7 +2,7 @@
   <service mode="disabled" name="obs_scm">
     <param name="url">https://github.com/RustSec/advisory-db.git</param>
     <param name="scm">git</param>
-    <param name="version">20211210</param>
+    <param name="version">20220105</param>
     <param name="revision">master</param>
     <param name="changesgenerate">enable</param>
     <param name="changesauthor">[email protected]</param>

++++++ advisory-db-20211210.tar.xz -> advisory-db-20220105.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20211210/.duplicate-id-guard 
new/advisory-db-20220105/.duplicate-id-guard
--- old/advisory-db-20211210/.duplicate-id-guard        2021-12-09 
01:29:19.000000000 +0100
+++ new/advisory-db-20220105/.duplicate-id-guard        2021-12-27 
20:44:42.000000000 +0100
@@ -1,3 +1,3 @@
 This file causes merge conflicts if two ID assignment jobs run concurrently.
 This prevents duplicate ID assignment due to a race between those jobs.
-8cf581428cbaf0bc69cff6415fdca50a9c87d873da9736406dab53c8570c904e  -
+1c73b234ccce2c42ef5a2422c20f09804ff06fd326ac338bf1429a31fd5bf4cc  -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0116.md 
new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0116.md
--- old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0116.md  2021-12-09 
01:29:19.000000000 +0100
+++ new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0116.md  2021-12-27 
20:44:42.000000000 +0100
@@ -8,7 +8,7 @@
 keywords = ["buffer-overflow"]
 
 [versions]
-patched = []
+patched = [">= 6.4.0"]
 ```
 
 # `BinaryArray` does not perform bound checks on reading values and offsets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0117.md 
new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0117.md
--- old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0117.md  2021-12-09 
01:29:19.000000000 +0100
+++ new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0117.md  2021-12-27 
20:44:42.000000000 +0100
@@ -8,7 +8,7 @@
 keywords = ["buffer-overflow"]
 
 [versions]
-patched = []
+patched = [">= 6.4.0"]
 ```
 
 # `DecimalArray` does not perform bound checks on accessing values and offsets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0118.md 
new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0118.md
--- old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0118.md  2021-12-09 
01:29:19.000000000 +0100
+++ new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0118.md  2021-12-27 
20:44:42.000000000 +0100
@@ -8,7 +8,7 @@
 keywords = ["buffer-overflow"]
 
 [versions]
-patched = []
+patched = [">= 6.4.0"]
 ```
 
 # `FixedSizeBinaryArray` does not perform bound checks on accessing values and 
offsets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/brotli-sys/RUSTSEC-2021-0131.md 
new/advisory-db-20220105/crates/brotli-sys/RUSTSEC-2021-0131.md
--- old/advisory-db-20211210/crates/brotli-sys/RUSTSEC-2021-0131.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/brotli-sys/RUSTSEC-2021-0131.md     
2021-12-27 20:44:42.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0131"
+
+package = "brotli-sys"
+date = "2021-12-20"
+url = "https://github.com/bitemyapp/brotli2-rs/issues/45";
+references = ["https://github.com/google/brotli/releases/tag/v1.0.9";]
+categories = ["memory-corruption"]
+keywords = ["integer-overflow"]
+aliases = ["CVE-2020-8927"]
+
+[affected]
+
+# There isn't a patch for brotli2-sys, but version 1.0.9 of google/brotli is 
patched
+[versions]
+patched = []
+```
+# Integer overflow in the bundled Brotli C library
+
+A buffer overflow exists in the Brotli library versions prior to 1.0.8 where 
an attacker controlling the input length of a "one-shot" decompression request 
to a script can trigger a crash, which happens when copying over chunks of data 
larger than 2 GiB.
+
+An updated version of `brotli-sys` has not been released. If one cannot update 
the C library, its authors recommend to use the "streaming" API as opposed to 
the "one-shot" API, and impose chunk size limits.
+
+In Rust the issue can be mitigated by migrating to the `brotli` crate, which 
provides a Rust implementation of Brotli compression and decompression that is 
not affected by this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/cargo-download/RUSTSEC-2021-0133.md 
new/advisory-db-20220105/crates/cargo-download/RUSTSEC-2021-0133.md
--- old/advisory-db-20211210/crates/cargo-download/RUSTSEC-2021-0133.md 
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/cargo-download/RUSTSEC-2021-0133.md 
2021-12-27 20:44:42.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0133"
+package = "cargo-download"
+date = "2021-12-25"
+url = "https://github.com/Xion/cargo-download";
+informational = "unmaintained"
+[versions]
+patched = []
+```
+
+# cargo-download is unmaintained
+
+The cargo download subcommand (via cargo-download crate) is broken and 
maintainer has disappeared from GitHub and hasn't had any commits for a year. 
+
+Using this downloader will result to corrupted crates.
+
+Maintainer has not responded to maintenance takeover.
+
+Just use wget / curl directly.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/compu-brotli-sys/RUSTSEC-2021-0132.md 
new/advisory-db-20220105/crates/compu-brotli-sys/RUSTSEC-2021-0132.md
--- old/advisory-db-20211210/crates/compu-brotli-sys/RUSTSEC-2021-0132.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/compu-brotli-sys/RUSTSEC-2021-0132.md       
2021-12-27 20:44:42.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0132"
+package = "compu-brotli-sys"
+date = "2021-12-20"
+url = "https://github.com/google/brotli/releases/tag/v1.0.9";
+categories = ["memory-corruption"]
+keywords = ["integer-overflow"]
+aliases = ["CVE-2020-8927"]
+
+[affected]
+
+[versions]
+patched = [">= 1.0.9"]
+```
+# Integer overflow in the bundled Brotli C library
+
+A buffer overflow exists in the Brotli library versions prior to 1.0.8 where 
an attacker controlling the input length of a "one-shot" decompression request 
to a script can trigger a crash, which happens when copying over chunks of data 
larger than 2 GiB.
+
+If one cannot update the C library, its authors recommend to use the 
"streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20211210/crates/lru/RUSTSEC-2021-0130.md 
new/advisory-db-20220105/crates/lru/RUSTSEC-2021-0130.md
--- old/advisory-db-20211210/crates/lru/RUSTSEC-2021-0130.md    1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/lru/RUSTSEC-2021-0130.md    2021-12-27 
20:44:42.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0130"
+package = "lru"
+date = "2021-12-21"
+url = "https://github.com/jeromefroe/lru-rs/issues/120";
+categories = ["memory-corruption"]
+keywords = ["use-after-free"]
+
+[affected.functions]
+"lru::LruCache::iter" = ["< 0.7.1"]
+"lru::LruCache::iter_mut" = ["< 0.7.1"]
+
+[versions]
+patched = [">= 0.7.1"]
+```
+
+# Use after free in lru crate
+
+Lru crate has use after free vulnerability.
+
+Lru crate has two functions for getting an iterator. Both iterators give
+references to key and value. Calling specific functions, like pop(), will 
remove
+and free the value, and but it's still possible to access the reference of 
value
+which is already dropped causing use after free.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/openssl-src/RUSTSEC-2021-0129.md 
new/advisory-db-20220105/crates/openssl-src/RUSTSEC-2021-0129.md
--- old/advisory-db-20211210/crates/openssl-src/RUSTSEC-2021-0129.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/openssl-src/RUSTSEC-2021-0129.md    
2021-12-27 20:44:42.000000000 +0100
@@ -0,0 +1,35 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0129"
+package = "openssl-src"
+aliases = ["CVE-2021-4044"]
+categories = ["denial-of-service"]
+date = "2021-12-14"
+url = "https://www.openssl.org/news/secadv/20211214.txt";
+
+[versions]
+patched = [">= 300.0.4"]
+unaffected = ["< 300.0.0"]
+```
+
+# Invalid handling of `X509_verify_cert()` internal errors in libssl
+
+Internally libssl in OpenSSL calls `X509_verify_cert()` on the client side to
+verify a certificate supplied by a server. That function may return a negative
+return value to indicate an internal error (for example out of memory). Such a
+negative return value is mishandled by OpenSSL and will cause an IO function
+(such as `SSL_connect()` or `SSL_do_handshake()`) to not indicate success and a
+subsequent call to `SSL_get_error()` to return the value
+`SSL_ERROR_WANT_RETRY_VERIFY`. This return value is only supposed to be 
returned
+by OpenSSL if the application has previously called
+`SSL_CTX_set_cert_verify_callback()`. Since most applications do not do this 
the
+`SSL_ERROR_WANT_RETRY_VERIFY` return value from `SSL_get_error()` will be 
totally
+unexpected and applications may not behave correctly as a result. The exact
+behaviour will depend on the application but it could result in crashes,
+infinite loops or other similar incorrect responses.
+
+This issue is made more serious in combination with a separate bug in OpenSSL
+3.0 that will cause `X509_verify_cert()` to indicate an internal error when
+processing a certificate chain. This will occur where a certificate does not
+include the Subject Alternative Name extension but where a Certificate 
Authority
+has enforced name constraints. This issue can occur even with valid chains.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/rental/RUSTSEC-2021-0134.md 
new/advisory-db-20220105/crates/rental/RUSTSEC-2021-0134.md
--- old/advisory-db-20211210/crates/rental/RUSTSEC-2021-0134.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/rental/RUSTSEC-2021-0134.md 2021-12-27 
20:44:42.000000000 +0100
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0134"
+package = "rental"
+date = "2021-12-27"
+informational = "unmaintained"
+url = 
"https://github.com/jpernst/rental/commit/213671ab3aab3452efd7e2290c6bb714ee327014";
+[versions]
+patched = []
+unaffected = []
+```
+
+# rental is unmaintained, author has moved on
+
+The author encourages users to explore other solutions, or maintain a fork.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20211210/crates/shamir/RUSTSEC-2020-0160.md 
new/advisory-db-20220105/crates/shamir/RUSTSEC-2020-0160.md
--- old/advisory-db-20211210/crates/shamir/RUSTSEC-2020-0160.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/shamir/RUSTSEC-2020-0160.md 2021-12-27 
20:44:42.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2020-0160"
+package = "shamir"
+date = "2020-01-21"
+url = "https://github.com/Nebulosus/shamir/issues/3";
+categories = ["crypto-failure"]
+
+[versions]
+patched = [">= 2.0.0"]
+```
+
+# Threshold value is ignored (all shares are n=3)
+
+Affected versions of this crate did not properly calculate secret shares 
requirements.
+
+This reduces the security of the algorithm by restricting the crate to always
+using a threshold value of three, rather than a configurable limit.
+
+The flaw was corrected by correctly configuring the threshold.

commit cargo-audit-advisory-db for openSUSE:Factory

Reply via email to