Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2023-05-24 20:22:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Wed May 24 20:22:53 2023 rev:31 rq:1088755 version:20230523
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2023-04-13 14:10:54.720353234 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1533/cargo-audit-advisory-db.changes
2023-05-24 20:23:13.868490325 +0200
@@ -1,0 +2,15 @@
+Tue May 23 04:42:24 UTC 2023 - william.br...@suse.com
+
+- Update to version 20230523:
+ * Assigned RUSTSEC-2023-0037 to xsalsa20poly1305 (#1695)
+ * xsalsa20poly1305 is unmaintained (#1694)
+ * xml-rs is maintained (#1691)
+ * Assigned RUSTSEC-2023-0036 to tree_magic (#1689)
+ * Add unmaintained tree_magic crate (#1678)
+ * Assigned RUSTSEC-2023-0035 to enumflags2 (#1688)
+ * enumflags2::make_bitflags unsoundness (#1686)
+ * Assigned RUSTSEC-2023-0034 to h2 (#1687)
+ * Add advisory for h2: resource exhaustion vulnerability may lead to DoS
(#1684)
+ * Fix typos in RUSTSEC-2023-0033 (#1685)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20230413.tar.xz
New:
----
advisory-db-20230523.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.5Yc6ab/_old 2023-05-24 20:23:14.252492615 +0200
+++ /var/tmp/diff_new_pack.5Yc6ab/_new 2023-05-24 20:23:14.256492639 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20230413
+Version: 20230523
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.5Yc6ab/_old 2023-05-24 20:23:14.300492901 +0200
+++ /var/tmp/diff_new_pack.5Yc6ab/_new 2023-05-24 20:23:14.304492925 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20230413</param>
+ <param name="version">20230523</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">william.br...@suse.com</param>
++++++ advisory-db-20230413.tar.xz -> advisory-db-20230523.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230413/.duplicate-id-guard
new/advisory-db-20230523/.duplicate-id-guard
--- old/advisory-db-20230413/.duplicate-id-guard 2023-04-10
17:47:56.000000000 +0200
+++ new/advisory-db-20230523/.duplicate-id-guard 2023-05-17
05:02:51.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-7de8d28e9de5141ab2c6b113aa3f887c5625e6644bd2c9375ba45f7360359e8d -
+0fb250fe04189cca31d0cb7f88f03512dbbdc2cf4e06c1d51b04393b5ae545ce -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230413/crates/borsh/RUSTSEC-2023-0033.md
new/advisory-db-20230523/crates/borsh/RUSTSEC-2023-0033.md
--- old/advisory-db-20230413/crates/borsh/RUSTSEC-2023-0033.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230523/crates/borsh/RUSTSEC-2023-0033.md 2023-05-17
05:02:51.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0033"
+package = "borsh"
+date = "2023-04-12"
+url = "https://github.com/near/borsh-rs/issues/19";
+references = ["https://github.com/near/borsh-rs/pull/136";]
+informational = "unsound"
+categories = ["memory-corruption"]
+
+[affected]
+[versions]
+patched = []
+```
+
+# Parsing borsh messages with ZST which are not-copy/clone is unsound
+
+Affected versions of borsh cause undefined behavior when zero-sized-types
(ZST)
+are parsed and the Copy/Clone traits are not implemented/derived.
+For instance if 1000 instances of a ZST are deserialized, and the ZST is not
copy
+(this can be achieved through a singleton), then accessing/writing to
deserialized
+data will cause a segmentation fault.
+
+There is currently no way for borsh to read data without also providing a Rust
type.
+Therefore, if not ZST are used for serialization, then you are not affected by
this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230413/crates/enumflags2/RUSTSEC-2023-0035.md
new/advisory-db-20230523/crates/enumflags2/RUSTSEC-2023-0035.md
--- old/advisory-db-20230413/crates/enumflags2/RUSTSEC-2023-0035.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230523/crates/enumflags2/RUSTSEC-2023-0035.md
2023-05-17 05:02:51.000000000 +0200
@@ -0,0 +1,48 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0035"
+package = "enumflags2"
+date = "2023-04-17"
+url = "https://github.com/meithecatte/enumflags2/releases/tag/v0.7.7";
+informational = "unsound"
+
+# [affected.macros]
+# "enumflags2::make_bitflags" = ["< 0.7.7, >= 0.7.0"]
+
+[versions]
+patched = [">= 0.7.7"]
+
+unaffected = ["< 0.7.0"]
+```
+
+# Adverserial use of `make_bitflags!` macro can cause undefined behavior
+
+The macro relied on an expression of the form `Enum::Variant` always being a
+variant of the enum. However, it may also be an associated integer constant, in
+which case there's no guarantee that the value of said constant consists only
of
+bits valid for this bitflag type.
+
+Thus, code like this could create an invalid `BitFlags<Test>`, which would
cause
+iterating over it to trigger undefined behavior. As the debug formatter
+internally iterates over the value, it is also affected.
+
+```rust
+use enumflags2::{bitflags, make_bitflags};
+
+#[bitflags]
+#[repr(u8)]
+#[derive(Copy, Clone, Debug)]
+enum Test {
+ A = 1,
+ B = 2,
+}
+
+impl Test {
+ const C: u8 = 69;
+}
+
+fn main() {
+ let x = make_bitflags!(Test::{C});
+ // printing or iterating over x is UB
+}
+```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230413/crates/h2/RUSTSEC-2023-0034.md
new/advisory-db-20230523/crates/h2/RUSTSEC-2023-0034.md
--- old/advisory-db-20230413/crates/h2/RUSTSEC-2023-0034.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230523/crates/h2/RUSTSEC-2023-0034.md 2023-05-17
05:02:51.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0034"
+package = "h2"
+date = "2023-04-14"
+url = "https://github.com/hyperium/hyper/issues/2877";
+categories = ["denial-of-service"]
+keywords = ["http", "http2", "h2"]
+aliases = ["CVE-2023-26964", "GHSA-f8vr-r385-rh5r"]
+[versions]
+patched = [">= 0.3.17"]
+```
+
+# Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
+
+If an attacker is able to flood the network with pairs of
`HEADERS`/`RST_STREAM` frames, such that the `h2` application is not able to
accept them faster than the bytes are received, the pending accept queue can
grow in memory usage. Being able to do this consistently can result in
excessive memory use, and eventually trigger Out Of Memory.
+
+This flaw is corrected in
[hyperium/h2#668](https://github.com/hyperium/h2/pull/668), which restricts
remote reset stream count by default.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230413/crates/tree_magic/RUSTSEC-2023-0036.md
new/advisory-db-20230523/crates/tree_magic/RUSTSEC-2023-0036.md
--- old/advisory-db-20230413/crates/tree_magic/RUSTSEC-2023-0036.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230523/crates/tree_magic/RUSTSEC-2023-0036.md
2023-05-17 05:02:51.000000000 +0200
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0036"
+package = "tree_magic"
+date = "2023-04-11"
+url = "https://github.com/aahancoc/tree_magic/issues/16";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# tree_magic is Unmaintained
+
+
+The `tree_magic` crate is unmaintained. The author has archived the github
+repository.
+
+Alternatives:
+
+- [tree_magic_mini](https://crates.io/crates/tree_magic_mini)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230413/crates/xml-rs/RUSTSEC-2022-0048.md
new/advisory-db-20230523/crates/xml-rs/RUSTSEC-2022-0048.md
--- old/advisory-db-20230413/crates/xml-rs/RUSTSEC-2022-0048.md 2023-04-10
17:47:56.000000000 +0200
+++ new/advisory-db-20230523/crates/xml-rs/RUSTSEC-2022-0048.md 2023-05-17
05:02:51.000000000 +0200
@@ -3,6 +3,7 @@
id = "RUSTSEC-2022-0048"
package = "xml-rs"
date = "2022-01-26"
+withdrawn = "2023-05-04"
url = "https://github.com/netvl/xml-rs/issues";
references = ["https://github.com/netvl/xml-rs/issues/219";,
"https://github.com/netvl/xml-rs/issues/210";,
"https://github.com/netvl/xml-rs/issues/204";]
informational = "unmaintained"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230413/crates/xsalsa20poly1305/RUSTSEC-2023-0037.md
new/advisory-db-20230523/crates/xsalsa20poly1305/RUSTSEC-2023-0037.md
--- old/advisory-db-20230413/crates/xsalsa20poly1305/RUSTSEC-2023-0037.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230523/crates/xsalsa20poly1305/RUSTSEC-2023-0037.md
2023-05-17 05:02:51.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0037"
+package = "xsalsa20poly1305"
+date = "2023-05-16"
+informational = "unmaintained"
+url = "https://github.com/RustCrypto/AEADs/pull/525";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# crate has been renamed to `crypto_secretbox`
+
+This crate has been forked/renamed from `xsalsa20poly1305` to
`crypto_secretbox`.
+
+The new repository location is at:
+
+<https://github.com/RustCrypto/nacl-compat/tree/master/crypto_secretbox>
