Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2022-01-06 15:50:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1896 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Thu Jan 6 15:50:48 2022 rev:18 rq:943883 version:20220105
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2021-12-10 21:53:00.562909131 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1896/cargo-audit-advisory-db.changes
2022-01-06 15:50:50.252956571 +0100
@@ -1,0 +2,15 @@
+Wed Jan 05 02:13:49 UTC 2022 - wbr...@suse.de
+
+- Update to version 20220105:
+ * Assigned RUSTSEC-2021-0134 to rental (#1137)
+ * Report that rental is no longer maintained (#1136)
+ * Assigned RUSTSEC-2020-0160 to shamir (#1135)
+ * Turn the issue about shamir into an advisory (#1134)
+ * Assigned RUSTSEC-2021-0133 to cargo-download (#1133)
+ * Mark cargo-download unmaintained (#1132)
+ * Mark arrow advisories as fixed in
https://github.com/apache/arrow-rs/issues/817 (#1131)
+ * Assigned RUSTSEC-2021-0132 to compu-brotli-sys (#1130)
+ * CVE-2020-8927 for compu-brotli-sys (#1129)
+ * Assigned RUSTSEC-2021-0131 to brotli-sys (#1128)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20211210.tar.xz
New:
----
advisory-db-20220105.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.CJAg4v/_old 2022-01-06 15:50:50.940956949 +0100
+++ /var/tmp/diff_new_pack.CJAg4v/_new 2022-01-06 15:50:50.944956950 +0100
@@ -1,7 +1,7 @@
#
# spec file for package cargo-audit-advisory-db
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20211210
+Version: 20220105
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.CJAg4v/_old 2022-01-06 15:50:50.972956966 +0100
+++ /var/tmp/diff_new_pack.CJAg4v/_new 2022-01-06 15:50:50.976956968 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20211210</param>
+ <param name="version">20220105</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">wbr...@suse.de</param>
++++++ advisory-db-20211210.tar.xz -> advisory-db-20220105.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20211210/.duplicate-id-guard
new/advisory-db-20220105/.duplicate-id-guard
--- old/advisory-db-20211210/.duplicate-id-guard 2021-12-09
01:29:19.000000000 +0100
+++ new/advisory-db-20220105/.duplicate-id-guard 2021-12-27
20:44:42.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-8cf581428cbaf0bc69cff6415fdca50a9c87d873da9736406dab53c8570c904e -
+1c73b234ccce2c42ef5a2422c20f09804ff06fd326ac338bf1429a31fd5bf4cc -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0116.md
new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0116.md
--- old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0116.md 2021-12-09
01:29:19.000000000 +0100
+++ new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0116.md 2021-12-27
20:44:42.000000000 +0100
@@ -8,7 +8,7 @@
keywords = ["buffer-overflow"]
[versions]
-patched = []
+patched = [">= 6.4.0"]
```
# `BinaryArray` does not perform bound checks on reading values and offsets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0117.md
new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0117.md
--- old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0117.md 2021-12-09
01:29:19.000000000 +0100
+++ new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0117.md 2021-12-27
20:44:42.000000000 +0100
@@ -8,7 +8,7 @@
keywords = ["buffer-overflow"]
[versions]
-patched = []
+patched = [">= 6.4.0"]
```
# `DecimalArray` does not perform bound checks on accessing values and offsets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0118.md
new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0118.md
--- old/advisory-db-20211210/crates/arrow/RUSTSEC-2021-0118.md 2021-12-09
01:29:19.000000000 +0100
+++ new/advisory-db-20220105/crates/arrow/RUSTSEC-2021-0118.md 2021-12-27
20:44:42.000000000 +0100
@@ -8,7 +8,7 @@
keywords = ["buffer-overflow"]
[versions]
-patched = []
+patched = [">= 6.4.0"]
```
# `FixedSizeBinaryArray` does not perform bound checks on accessing values and
offsets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/brotli-sys/RUSTSEC-2021-0131.md
new/advisory-db-20220105/crates/brotli-sys/RUSTSEC-2021-0131.md
--- old/advisory-db-20211210/crates/brotli-sys/RUSTSEC-2021-0131.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/brotli-sys/RUSTSEC-2021-0131.md
2021-12-27 20:44:42.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0131"
+
+package = "brotli-sys"
+date = "2021-12-20"
+url = "https://github.com/bitemyapp/brotli2-rs/issues/45";
+references = ["https://github.com/google/brotli/releases/tag/v1.0.9";]
+categories = ["memory-corruption"]
+keywords = ["integer-overflow"]
+aliases = ["CVE-2020-8927"]
+
+[affected]
+
+# There isn't a patch for brotli2-sys, but version 1.0.9 of google/brotli is
patched
+[versions]
+patched = []
+```
+# Integer overflow in the bundled Brotli C library
+
+A buffer overflow exists in the Brotli library versions prior to 1.0.8 where
an attacker controlling the input length of a "one-shot" decompression request
to a script can trigger a crash, which happens when copying over chunks of data
larger than 2 GiB.
+
+An updated version of `brotli-sys` has not been released. If one cannot update
the C library, its authors recommend to use the "streaming" API as opposed to
the "one-shot" API, and impose chunk size limits.
+
+In Rust the issue can be mitigated by migrating to the `brotli` crate, which
provides a Rust implementation of Brotli compression and decompression that is
not affected by this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/cargo-download/RUSTSEC-2021-0133.md
new/advisory-db-20220105/crates/cargo-download/RUSTSEC-2021-0133.md
--- old/advisory-db-20211210/crates/cargo-download/RUSTSEC-2021-0133.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/cargo-download/RUSTSEC-2021-0133.md
2021-12-27 20:44:42.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0133"
+package = "cargo-download"
+date = "2021-12-25"
+url = "https://github.com/Xion/cargo-download";
+informational = "unmaintained"
+[versions]
+patched = []
+```
+
+# cargo-download is unmaintained
+
+The cargo download subcommand (via cargo-download crate) is broken and
maintainer has disappeared from GitHub and hasn't had any commits for a year.
+
+Using this downloader will result to corrupted crates.
+
+Maintainer has not responded to maintenance takeover.
+
+Just use wget / curl directly.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/compu-brotli-sys/RUSTSEC-2021-0132.md
new/advisory-db-20220105/crates/compu-brotli-sys/RUSTSEC-2021-0132.md
--- old/advisory-db-20211210/crates/compu-brotli-sys/RUSTSEC-2021-0132.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/compu-brotli-sys/RUSTSEC-2021-0132.md
2021-12-27 20:44:42.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0132"
+package = "compu-brotli-sys"
+date = "2021-12-20"
+url = "https://github.com/google/brotli/releases/tag/v1.0.9";
+categories = ["memory-corruption"]
+keywords = ["integer-overflow"]
+aliases = ["CVE-2020-8927"]
+
+[affected]
+
+[versions]
+patched = [">= 1.0.9"]
+```
+# Integer overflow in the bundled Brotli C library
+
+A buffer overflow exists in the Brotli library versions prior to 1.0.8 where
an attacker controlling the input length of a "one-shot" decompression request
to a script can trigger a crash, which happens when copying over chunks of data
larger than 2 GiB.
+
+If one cannot update the C library, its authors recommend to use the
"streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20211210/crates/lru/RUSTSEC-2021-0130.md
new/advisory-db-20220105/crates/lru/RUSTSEC-2021-0130.md
--- old/advisory-db-20211210/crates/lru/RUSTSEC-2021-0130.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/lru/RUSTSEC-2021-0130.md 2021-12-27
20:44:42.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0130"
+package = "lru"
+date = "2021-12-21"
+url = "https://github.com/jeromefroe/lru-rs/issues/120";
+categories = ["memory-corruption"]
+keywords = ["use-after-free"]
+
+[affected.functions]
+"lru::LruCache::iter" = ["< 0.7.1"]
+"lru::LruCache::iter_mut" = ["< 0.7.1"]
+
+[versions]
+patched = [">= 0.7.1"]
+```
+
+# Use after free in lru crate
+
+Lru crate has use after free vulnerability.
+
+Lru crate has two functions for getting an iterator. Both iterators give
+references to key and value. Calling specific functions, like pop(), will
remove
+and free the value, and but it's still possible to access the reference of
value
+which is already dropped causing use after free.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/openssl-src/RUSTSEC-2021-0129.md
new/advisory-db-20220105/crates/openssl-src/RUSTSEC-2021-0129.md
--- old/advisory-db-20211210/crates/openssl-src/RUSTSEC-2021-0129.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/openssl-src/RUSTSEC-2021-0129.md
2021-12-27 20:44:42.000000000 +0100
@@ -0,0 +1,35 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0129"
+package = "openssl-src"
+aliases = ["CVE-2021-4044"]
+categories = ["denial-of-service"]
+date = "2021-12-14"
+url = "https://www.openssl.org/news/secadv/20211214.txt";
+
+[versions]
+patched = [">= 300.0.4"]
+unaffected = ["< 300.0.0"]
+```
+
+# Invalid handling of `X509_verify_cert()` internal errors in libssl
+
+Internally libssl in OpenSSL calls `X509_verify_cert()` on the client side to
+verify a certificate supplied by a server. That function may return a negative
+return value to indicate an internal error (for example out of memory). Such a
+negative return value is mishandled by OpenSSL and will cause an IO function
+(such as `SSL_connect()` or `SSL_do_handshake()`) to not indicate success and a
+subsequent call to `SSL_get_error()` to return the value
+`SSL_ERROR_WANT_RETRY_VERIFY`. This return value is only supposed to be
returned
+by OpenSSL if the application has previously called
+`SSL_CTX_set_cert_verify_callback()`. Since most applications do not do this
the
+`SSL_ERROR_WANT_RETRY_VERIFY` return value from `SSL_get_error()` will be
totally
+unexpected and applications may not behave correctly as a result. The exact
+behaviour will depend on the application but it could result in crashes,
+infinite loops or other similar incorrect responses.
+
+This issue is made more serious in combination with a separate bug in OpenSSL
+3.0 that will cause `X509_verify_cert()` to indicate an internal error when
+processing a certificate chain. This will occur where a certificate does not
+include the Subject Alternative Name extension but where a Certificate
Authority
+has enforced name constraints. This issue can occur even with valid chains.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/rental/RUSTSEC-2021-0134.md
new/advisory-db-20220105/crates/rental/RUSTSEC-2021-0134.md
--- old/advisory-db-20211210/crates/rental/RUSTSEC-2021-0134.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/rental/RUSTSEC-2021-0134.md 2021-12-27
20:44:42.000000000 +0100
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0134"
+package = "rental"
+date = "2021-12-27"
+informational = "unmaintained"
+url =
"https://github.com/jpernst/rental/commit/213671ab3aab3452efd7e2290c6bb714ee327014";
+[versions]
+patched = []
+unaffected = []
+```
+
+# rental is unmaintained, author has moved on
+
+The author encourages users to explore other solutions, or maintain a fork.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211210/crates/shamir/RUSTSEC-2020-0160.md
new/advisory-db-20220105/crates/shamir/RUSTSEC-2020-0160.md
--- old/advisory-db-20211210/crates/shamir/RUSTSEC-2020-0160.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220105/crates/shamir/RUSTSEC-2020-0160.md 2021-12-27
20:44:42.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2020-0160"
+package = "shamir"
+date = "2020-01-21"
+url = "https://github.com/Nebulosus/shamir/issues/3";
+categories = ["crypto-failure"]
+
+[versions]
+patched = [">= 2.0.0"]
+```
+
+# Threshold value is ignored (all shares are n=3)
+
+Affected versions of this crate did not properly calculate secret shares
requirements.
+
+This reduces the security of the algorithm by restricting the crate to always
+using a threshold value of three, rather than a configurable limit.
+
+The flaw was corrected by correctly configuring the threshold.
