Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2022-05-17 17:24:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Tue May 17 17:24:31 2022 rev:25 rq:977631 version:20220511
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2022-05-01 18:53:56.423182545 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1538/cargo-audit-advisory-db.changes
2022-05-17 17:24:49.875192613 +0200
@@ -1,0 +2,15 @@
+Wed May 11 01:12:29 UTC 2022 - [email protected]
+
+- Update to version 20220511:
+ * Assigned RUSTSEC-2022-0022 to hyper (#1235)
+ * add hyper advisory (#1232)
+ * Assigned RUSTSEC-2022-0019 to crossbeam-channel, RUSTSEC-2022-0020 to
crossbeam, RUSTSEC-2022-0021 to crossbeam-queue (#1233)
+ * add crossbeam advisories for incorrect (unsound) zeroed memory (#1231)
+ * Assigned RUSTSEC-2022-0018 to totp-rs (#1230)
+ * Possible timing attack in totp-rs (#1229)
+ * HOWTO_UNMAINTAINED.md: guide for unmaintained crate advisories (#1192)
+ * Assigned RUSTSEC-2022-0017 to array-macro (#1225)
+ * Add advisory for using impure constants in array-macro (#1224)
+ * Add patch version for fruity (#1223)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20220428.tar.xz
New:
----
advisory-db-20220511.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.FDlIPU/_old 2022-05-17 17:24:50.367193059 +0200
+++ /var/tmp/diff_new_pack.FDlIPU/_new 2022-05-17 17:24:50.371193062 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20220428
+Version: 20220511
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.FDlIPU/_old 2022-05-17 17:24:50.399193088 +0200
+++ /var/tmp/diff_new_pack.FDlIPU/_new 2022-05-17 17:24:50.403193091 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20220428</param>
+ <param name="version">20220511</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20220428.tar.xz -> advisory-db-20220511.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220428/.duplicate-id-guard
new/advisory-db-20220511/.duplicate-id-guard
--- old/advisory-db-20220428/.duplicate-id-guard 2022-04-27
21:05:18.000000000 +0200
+++ new/advisory-db-20220511/.duplicate-id-guard 2022-05-10
20:45:40.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-05211b923d19475817ba8c9cdcc1c8079a94da53ed993f4f5af9e032b8766a4d -
+eb98d17e9f1902d45fd686ac89031f87ceba5a8b5c34ffca8708f1998e703ad5 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220428/HOWTO_UNMAINTAINED.md
new/advisory-db-20220511/HOWTO_UNMAINTAINED.md
--- old/advisory-db-20220428/HOWTO_UNMAINTAINED.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220511/HOWTO_UNMAINTAINED.md 2022-05-10
20:45:40.000000000 +0200
@@ -0,0 +1,80 @@
+# HOWTO Guide: Unmaintained Crate Advisories
+
+This document describes the policy for adding advisories for unmaintained
+crates to the [RustSec Advisory Database].
+
+These advisories serve to inform the Rust community about both the existence
+of unmaintained crates within a particular project, and also serve to guide
+switching to maintained alternatives.
+
+## Definition of an "unmaintained" crate
+
+We consider crates unmaintained when they fall into either of the following
+categories:
+
+- Explicitly unmaintained: a crate's author has declared that they are no
+ longer maintaining a particular crate.
+- Implicitly unmaintained: the author is incommunicado for a prolonged period
+ of time and cannot advise as to a crate's status.
+
+## Creating an unmaintained crate advisory
+
+### Policy
+
+When in doubt, we always defer to the author of a crate's discretion as to
+whether they would prefer an unmaintained crate advisory be filed, provided
+we are able to make contact.
+
+First and foremost: *ASK THE AUTHOR(S)*, preferably in a public issue on the
+project's source code repository. If an author/maintainer of a particular crate
+thinks filing an unmaintained crate advisory is a good idea, then great! Go
ahead.
+
+If the author is responsive and declares that the project *is* maintained, then
+the RustSec organization considers it maintained and won't accept advisories
about its maintenance status. Again, when in doubt, defer
+to the author's discretion. So long as the author is responsive and avows that
+a crate is maintained, we take them at their word. Repository metrics like
+recent commits, open issues, latest release, etc are not reasons to go against
+the direct word of a crate author.
+
+However, if attempts have been made to contact a crate author have failed,
+metrics like recent commits, open issues, time since last crate release etc
+are important evidence to justify that a crate is unmaintained. An
+incommunicado crate author is irrelevant if there is evidence that work is
+continuing to happen on a crate.
+
+To justify the "implicitly unmaintained" status, where a crate author is
+unreachable, the following criteria must be met:
+
+- Stale repository: no recent maintenance activity, including any of the
+ following: recent commits, responses from the author on open issues,
+ crate releases, or other publically visible activity by the author.
+ Inactivity over a period of 1 year or more is the preferred threshold.
+- Contact attempts with the author made with no response. Ideally these
+ attempts are made via a public GitHub issue, so that issue can be
+ cited in an unmaintained crate advisory if need be. Unresponsiveness
+ by the author over a period of 90 days is suggested before filing an
+ advisory.
+
+### Process
+
+Unmaintained crate advisories use the same structure as RustSec security
+advisories, but include an `informational = "unmaintained"` attribute in
+the TOML advisory.
+
+When creating the advisory, please include a link to an open issue
+on the upstream project repository where the maintenance status has been
+discussed in the `url = "..."` field of the advisory.
+
+For more information on adding an advisory to the RustSec DB, see:
+
+<https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md>
+
+### Questions
+
+Please open a GitHub issue:
+
+<https://github.com/rustsec/advisory-db/issues>
+
+[//]: # (links)
+
+[RustSec Advisory Database]: https://rustsec.org
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220428/crates/crossbeam/RUSTSEC-2022-0020.md
new/advisory-db-20220511/crates/crossbeam/RUSTSEC-2022-0020.md
--- old/advisory-db-20220428/crates/crossbeam/RUSTSEC-2022-0020.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220511/crates/crossbeam/RUSTSEC-2022-0020.md
2022-05-10 20:45:40.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0020"
+package = "crossbeam"
+date = "2022-05-10"
+informational = "unsound"
+url = "https://github.com/crossbeam-rs/crossbeam/pull/458";
+
+[versions]
+patched = [">= 0.7.0"]
+```
+
+# `SegQueue` creates zero value of any type
+
+Affected versions of this crate called `mem::zeroed()` to create values of a
user-supplied type `T`.
+This is unsound e.g. if `T` is a reference type (which must be non-null).
+
+The flaw was corrected by avoiding the use of `mem::zeroed()`, using
`MaybeUninit` instead.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220428/crates/crossbeam-channel/RUSTSEC-2022-0019.md
new/advisory-db-20220511/crates/crossbeam-channel/RUSTSEC-2022-0019.md
--- old/advisory-db-20220428/crates/crossbeam-channel/RUSTSEC-2022-0019.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220511/crates/crossbeam-channel/RUSTSEC-2022-0019.md
2022-05-10 20:45:40.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0019"
+package = "crossbeam-channel"
+date = "2022-05-10"
+informational = "unsound"
+url = "https://github.com/crossbeam-rs/crossbeam/pull/458";
+
+[versions]
+patched = [">= 0.4.3"]
+```
+
+# Channel creates zero value of any type
+
+Affected versions of this crate called `mem::zeroed()` to create values of a
user-supplied type `T`.
+This is unsound e.g. if `T` is a reference type (which must be non-null).
+
+The flaw was corrected by avoiding the use of `mem::zeroed()`, using
`MaybeUninit` instead.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220428/crates/crossbeam-queue/RUSTSEC-2022-0021.md
new/advisory-db-20220511/crates/crossbeam-queue/RUSTSEC-2022-0021.md
--- old/advisory-db-20220428/crates/crossbeam-queue/RUSTSEC-2022-0021.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220511/crates/crossbeam-queue/RUSTSEC-2022-0021.md
2022-05-10 20:45:40.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0021"
+package = "crossbeam-queue"
+date = "2022-05-10"
+informational = "unsound"
+url = "https://github.com/crossbeam-rs/crossbeam/pull/458";
+
+[versions]
+patched = [">= 0.2.3"]
+```
+
+# `SegQueue` creates zero value of any type
+
+Affected versions of this crate called `mem::zeroed()` to create values of a
user-supplied type `T`.
+This is unsound e.g. if `T` is a reference type (which must be non-null).
+
+The flaw was corrected by avoiding the use of `mem::zeroed()`, using
`MaybeUninit` instead.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220428/crates/hyper/RUSTSEC-2022-0022.md
new/advisory-db-20220511/crates/hyper/RUSTSEC-2022-0022.md
--- old/advisory-db-20220428/crates/hyper/RUSTSEC-2022-0022.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220511/crates/hyper/RUSTSEC-2022-0022.md 2022-05-10
20:45:40.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0022"
+package = "hyper"
+date = "2022-05-10"
+informational = "unsound"
+url = "https://github.com/hyperium/hyper/pull/2545";
+
+[versions]
+patched = [">= 0.4.12"]
+```
+
+# Parser creates invalid uninitialized value
+
+Affected versions of this crate called `mem::uninitialized()` in the HTTP1
parser to create values of type `httparse::Header` (from the `httparse` crate).
+This is unsound, since `Header` contains references and thus must be non-null.
+
+The flaw was corrected by avoiding the use of `mem::uninitialized()`, using
`MaybeUninit` instead.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220428/crates/totp-rs/RUSTSEC-2022-0018.md
new/advisory-db-20220511/crates/totp-rs/RUSTSEC-2022-0018.md
--- old/advisory-db-20220428/crates/totp-rs/RUSTSEC-2022-0018.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220511/crates/totp-rs/RUSTSEC-2022-0018.md
2022-05-10 20:45:40.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0018"
+package = "totp-rs"
+date = "2022-05-09"
+url =
"https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249";
+categories = ["crypto-failure"]
+cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N"
+keywords = ["side-channel", "timing-attack"]
+aliases = ["CVE-2022-29185"]
+
+[affected.functions]
+"totp_rs::TOTP::check" = ["< 1.1.0"]
+
+[versions]
+patched = [">= 1.1.0"]
+```
+
+# Timing attack
+
+Affecting versions did not compare tokens in constant time, which could make
it possible for an attacker to guess the 2fa token of a user.
+
+This has been fixed by using using the crate constant_time_eq for comparison.
