commit cargo-audit-advisory-db for openSUSE:Factory

Source-Sync Sun, 14 Sep 2025 09:52:23 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cargo-audit-advisory-db for 
openSUSE:Factory checked in at 2025-09-14 18:50:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
 and      /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1977 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "cargo-audit-advisory-db"

Sun Sep 14 18:50:39 2025 rev:48 rq:1304477 version:20250913

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
  2025-05-07 19:19:52.167668746 +0200
+++ 
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1977/cargo-audit-advisory-db.changes
        2025-09-14 18:51:33.121557572 +0200
@@ -1,0 +2,15 @@
+Sat Sep 13 01:09:23 UTC 2025 - [email protected]
+
+- Update to version 20250913:
+  * Assigned RUSTSEC-2025-0067 to libyml, RUSTSEC-2025-0068 to serde_yml
+  * explain why the alternatives are mentioned
+  * mark both unsound
+  * Add unmaintained libyml and serde_yml
+  * Assigned RUSTSEC-2021-0154 to fuser
+  * Add advisory for fuser
+  * Assigned RUSTSEC-2025-0066 to google-apis-common
+  * Add advisory (deprecated) for `google-apis-common`
+  * Assigned RUSTSEC-2025-0065 to matrix-sdk-base
+  * Fix candidate advisory ID
+
+-------------------------------------------------------------------

Old:
----
  advisory-db-20250507.tar.xz

New:
----
  advisory-db-20250913.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.pxW6By/_old  2025-09-14 18:51:33.605577855 +0200
+++ /var/tmp/diff_new_pack.pxW6By/_new  2025-09-14 18:51:33.609578023 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package cargo-audit-advisory-db
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           cargo-audit-advisory-db
-Version:        20250507
+Version:        20250913
 Release:        0
 Summary:        A database of known security issues for Rust depedencies
 License:        CC0-1.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.pxW6By/_old  2025-09-14 18:51:33.637579197 +0200
+++ /var/tmp/diff_new_pack.pxW6By/_new  2025-09-14 18:51:33.641579364 +0200
@@ -2,7 +2,7 @@
   <service mode="disabled" name="obs_scm">
     <param name="url">https://github.com/RustSec/advisory-db.git</param>
     <param name="scm">git</param>
-    <param name="version">20250507</param>
+    <param name="version">20250913</param>
     <param name="revision">main</param>
     <param name="changesgenerate">enable</param>
     <param name="changesauthor">[email protected]</param>

++++++ advisory-db-20250507.tar.xz -> advisory-db-20250913.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20250507/.duplicate-id-guard 
new/advisory-db-20250913/.duplicate-id-guard
--- old/advisory-db-20250507/.duplicate-id-guard        2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/.duplicate-id-guard        2025-09-12 
09:28:19.000000000 +0200
@@ -1,3 +1,3 @@
 This file causes merge conflicts if two ID assignment jobs run concurrently.
 This prevents duplicate ID assignment due to a race between those jobs.
-f308e9d1315b61c4cc4feac716ba92f2b3200480e4322ae21d578b2df126f586  -
+fd71645898ff1b3e7401e0494a2354ef385e30359645c7be09759ad9c8bdf55a  -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/.github/workflows/assign-ids.yml 
new/advisory-db-20250913/.github/workflows/assign-ids.yml
--- old/advisory-db-20250507/.github/workflows/assign-ids.yml   2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/.github/workflows/assign-ids.yml   2025-09-12 
09:28:19.000000000 +0200
@@ -9,7 +9,7 @@
     name: Assign IDs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
 
     - name: Cache cargo bin
       id: admin-cache
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/.github/workflows/export-osv.yml 
new/advisory-db-20250913/.github/workflows/export-osv.yml
--- old/advisory-db-20250507/.github/workflows/export-osv.yml   2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/.github/workflows/export-osv.yml   2025-09-12 
09:28:19.000000000 +0200
@@ -8,7 +8,7 @@
   publish-web:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: osv
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/.github/workflows/publish-web.yml 
new/advisory-db-20250913/.github/workflows/publish-web.yml
--- old/advisory-db-20250507/.github/workflows/publish-web.yml  2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/.github/workflows/publish-web.yml  2025-09-12 
09:28:19.000000000 +0200
@@ -8,7 +8,7 @@
   publish-web:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: gh-pages
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20250507/.github/workflows/sync-ids.yml 
new/advisory-db-20250913/.github/workflows/sync-ids.yml
--- old/advisory-db-20250507/.github/workflows/sync-ids.yml     2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/.github/workflows/sync-ids.yml     2025-09-12 
09:28:19.000000000 +0200
@@ -11,7 +11,7 @@
     name: Synchronize IDs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
 
     - name: Cache cargo bin
       id: admin-cache
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20250507/.github/workflows/validate.yml 
new/advisory-db-20250913/.github/workflows/validate.yml
--- old/advisory-db-20250507/.github/workflows/validate.yml     2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/.github/workflows/validate.yml     2025-09-12 
09:28:19.000000000 +0200
@@ -10,7 +10,7 @@
     name: Lint advisories
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
 
     - name: Cache cargo bin
       id: admin-cache
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20250507/CONTRIBUTING.md 
new/advisory-db-20250913/CONTRIBUTING.md
--- old/advisory-db-20250507/CONTRIBUTING.md    2025-05-06 23:08:48.000000000 
+0200
+++ new/advisory-db-20250913/CONTRIBUTING.md    2025-09-12 09:28:19.000000000 
+0200
@@ -13,7 +13,7 @@
 3. Write a human-readable Markdown description in the same file, after the 
<code>\```</code> marker and a newline. Use [this example advisory][example] as 
a reference.
 4. Open a [Pull Request]. After being reviewed your advisory will be assigned
    a `RUSTSEC-*` advisory identifier and be published to the database.
-   
+
 ### Optional Steps
 
 Feel free to do either or both of these as you see fit (we recommend you do 
both):
@@ -55,13 +55,11 @@
 A: No, anyone can file an advisory against any crate. The legitimacy of
     vulnerabilities will be determined prior to merging. If a vulnerability
     turns out to be fake, it will be removed from the database.
-    
+
 **Q: Can I file an advisory without creating a pull request?**
 
 A: Yes, instead of creating a full advisory yourself, you can also
-   [open an issue on the advisory-db 
repo](https://github.com/RustSec/advisory-db/issues)
-   or email information about the vulnerability to
-   [[email protected]](mailto:[email protected]).
+   [open an issue on the advisory-db 
repo](https://github.com/RustSec/advisory-db/issues).
 
 **Q: Does this project have a GPG key or other means of handling embargoed 
vulnerabilities?**
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20250507/HOWTO_UNMAINTAINED.md 
new/advisory-db-20250913/HOWTO_UNMAINTAINED.md
--- old/advisory-db-20250507/HOWTO_UNMAINTAINED.md      2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/HOWTO_UNMAINTAINED.md      2025-09-12 
09:28:19.000000000 +0200
@@ -71,6 +71,10 @@
 on the upstream project repository where the maintenance status has been
 discussed in the `url = "..."` field of the advisory.
 
+If the upstream project repository has issues disabled, or if an upstream
+issue does not adequately explain the circumstances, please include
+`url = "..."` linking to an issue in the `advisory-db` project.
+
 For more information on adding an advisory to the RustSec DB, see:
 
 <https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/adler/RUSTSEC-2025-0056.md 
new/advisory-db-20250913/crates/adler/RUSTSEC-2025-0056.md
--- old/advisory-db-20250507/crates/adler/RUSTSEC-2025-0056.md  1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/adler/RUSTSEC-2025-0056.md  2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0056"
+package = "adler"
+date = "2025-09-05"
+url = "https://github.com/jonas-schievink/adler";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# adler crate is unmaintained, use adler2 instead
+
+The `adler` crate is no longer actively maintained. If you rely on this crate, 
consider switching to a maintained alternative.
+
+## Recommended alternatives
+
+- [`adler2`](https://crates.io/crates/adler2)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/anon-vec/RUSTSEC-2025-0039.md 
new/advisory-db-20250913/crates/anon-vec/RUSTSEC-2025-0039.md
--- old/advisory-db-20250507/crates/anon-vec/RUSTSEC-2025-0039.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/anon-vec/RUSTSEC-2025-0039.md       
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0039"
+package = "anon-vec"
+date = "2025-05-06"
+informational = "unsound"
+url = "https://github.com/RylanYancey/anon-vec";
+categories = ["memory-corruption"]
+
+[affected.functions]
+"anon_vec::AnonVec::get_ref" = ["<= 0.1.1"]
+"anon_vec::AnonVec::get_mut" = ["<= 0.1.1"]
+"anon_vec::AnonVec::remove_get" = ["<= 0.1.1"]
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# Lack of sufficient checks in public API
+
+The following functions in the anon-vec crate are unsound due to insufficient 
checks on their
+arguments::
+
+- `AnonVec::get_ref()`
+- `AnonVec::get_mut()`
+- `AnonVec::remove_get()`
+
+The crate was built as a learning project and is not being maintained.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/arenavec/RUSTSEC-2025-0053.md 
new/advisory-db-20250913/crates/arenavec/RUSTSEC-2025-0053.md
--- old/advisory-db-20250507/crates/arenavec/RUSTSEC-2025-0053.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/arenavec/RUSTSEC-2025-0053.md       
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0053"
+package = "arenavec"
+date = "2025-08-14"
+
+url = "https://github.com/ibabushkin/arenavec/issues/4";
+references = ["https://github.com/ibabushkin/arenavec/issues/5";, 
"https://github.com/ibabushkin/arenavec/issues/6";]
+
+categories = ["memory-corruption"]
+keywords = ["memory-safety", "buffer-overflow", "double-free", "raw-pointer"]
+
+[affected.functions]
+"arenavec::common::AllocHandle::allocate" = ["<= 0.1.1"]
+"arenavec::common::AllocHandle::allocate_or_extend" = ["<= 0.1.1"]
+"arenavec::common::allocate_inner" = ["<= 0.1.1"]
+"arenavec::common::SliceVec::split_off" = ["<= 0.1.1"]
+
+[versions]
+patched = []
+```
+
+# Multiple memory corruption vulnerabilities in safe APIs
+
+The crate has the following vulnerabilities:
+
+- The public trait `arenavec::common::AllocHandle` allows the return of raw 
pointers through its methods `allocate` and `allocate_or_extend`. However, the 
trait is not marked as unsafe, meaning users of the crate may implement it 
under the assumption that the library safely handles the returned raw pointers. 
These raw pointers can later be dereferenced within safe APIs of the crate-such 
as `arenavec::common::SliceVec::push`-potentially leading to arbitrary memory 
access.
+
+- The safe API `arenavec::common::SliceVec::reserve` can reach the private 
function `arenavec::common::allocate_inner`. Incorrect behavior in 
`allocate_inner` may result in a `SliceVec` with an increased capacity, even 
though the underlying memory has not actually been expanded. This mismatch 
between `SliceVec.capacity` and the actual reserved memory can lead to a heap 
buffer overflow.
+
+- The safe API `arenavec::common::SliceVec::split_off` can duplicate the 
ownership of the elements in `self` (of type `SliceVec`) if they implement the 
`Drop` trait. Specifically, when `at == 0`, the method returns a new `SliceVec` 
with the same length as `self`. Since both `self` and the returned object point 
to the same heap memory, dropping one will deallocate the shared memory. When 
the other is subsequently dropped, it will attempt to free the same memory 
again, resulting in a double free violation.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/array-queue/RUSTSEC-2025-0054.md 
new/advisory-db-20250913/crates/array-queue/RUSTSEC-2025-0054.md
--- old/advisory-db-20250507/crates/array-queue/RUSTSEC-2025-0054.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/array-queue/RUSTSEC-2025-0054.md    
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0054"
+package = "array-queue"
+date = "2025-08-14"
+
+url = "https://github.com/raviqqe/array-queue/issues/3";
+categories = ["memory-corruption"]
+keywords = ["memory-safety", "panic-safety", "uninitialized-memory"]
+
+[affected.functions]
+"array_queue::ArrayQueue::push_front" = [">= 0.3.0, <= 0.3.3"]
+
+[versions]
+patched = [">=0.4.0"]
+unaffected = ["< 0.3.0"]
+```
+
+# ArrayQueue::push_front is not panic-safe
+
+The safe API `array_queue::ArrayQueue::push_front` can lead to deallocating 
uninitialized memory if a panic occurs while invoking the `clone` method on the 
passed argument.
+
+Specifically, `push_front` receives an argument that is intended to be cloned 
and pushed, whose type implements the `Clone` trait. Furthermore, the method 
updates the queue's `start` index before initializing the slot for the newly 
pushed element. User-defined implementations of `Clone` may include a `clone` 
method that can panic. If such a panic occurs during initialization, the 
structure is left with an advanced `start` index pointing to an uninitialized 
slot. When `ArrayQueue` is later dropped, its destructor treats that slot as 
initialized and attempts to drop it, resulting in an attempt to free 
uninitialized memory.
+
+The bug was fixed in commit `728fe1b`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/arrow2/RUSTSEC-2025-0038.md 
new/advisory-db-20250913/crates/arrow2/RUSTSEC-2025-0038.md
--- old/advisory-db-20250507/crates/arrow2/RUSTSEC-2025-0038.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/arrow2/RUSTSEC-2025-0038.md 2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0038"
+package = "arrow2"
+date = "2025-04-24"
+categories = ["memory-exposure"]
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# Out of bounds access in public safe API
+
+`Rows::row_unchecked()` allows out of bounds access to the underlying
+buffer without sufficient checks.
+
+The arrow2 crate is no longer maintained, so there are no plans to fix this 
issue. Users are advised to migrate to the arrow crate, instead.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/async-std/RUSTSEC-2025-0052.md 
new/advisory-db-20250913/crates/async-std/RUSTSEC-2025-0052.md
--- old/advisory-db-20250507/crates/async-std/RUSTSEC-2025-0052.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/async-std/RUSTSEC-2025-0052.md      
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0052"
+package = "async-std"
+date = "2025-08-24"
+url = "https://github.com/async-rs/async-std";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# async-std has been discontinued
+
+The `async-std` has been discontinued.
+
+Alternatives:
+
+- [smol](https://crates.io/crates/smol)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/backoff/RUSTSEC-2025-0012.md 
new/advisory-db-20250913/crates/backoff/RUSTSEC-2025-0012.md
--- old/advisory-db-20250507/crates/backoff/RUSTSEC-2025-0012.md        
2025-05-06 23:08:48.000000000 +0200
+++ new/advisory-db-20250913/crates/backoff/RUSTSEC-2025-0012.md        
2025-09-12 09:28:19.000000000 +0200
@@ -11,6 +11,6 @@
 unaffected = []
 ```
 
-# `backoff` is unmainted.
+# `backoff` is unmaintained.
 
 The [backoff](https://crates.io/crates/backoff) crate is no longer actively 
maintained. For exponential backoffs/retrying, you can use the 
[backon](https://crates.io/crates/backon) crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/crypto-hash/RUSTSEC-2025-0060.md 
new/advisory-db-20250913/crates/crypto-hash/RUSTSEC-2025-0060.md
--- old/advisory-db-20250507/crates/crypto-hash/RUSTSEC-2025-0060.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/crypto-hash/RUSTSEC-2025-0060.md    
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0060"
+package = "crypto-hash"
+date = "2025-09-08"
+url = "https://github.com/rustsec/advisory-db/issues/1633";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# crypto-hash crate is unmaintained
+
+The `crypto-hash` crate is no longer actively maintained.  If you rely on this 
crate, consider switching to a maintained alternative.
+
+## Recommended alternatives
+
+- [`crypto-hashes`](https://crates.io/crates/crypto-hashes)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/custom_derive/RUSTSEC-2025-0058.md 
new/advisory-db-20250913/crates/custom_derive/RUSTSEC-2025-0058.md
--- old/advisory-db-20250507/crates/custom_derive/RUSTSEC-2025-0058.md  
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/custom_derive/RUSTSEC-2025-0058.md  
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0058"
+package = "custom_derive"
+date = "2025-09-07"
+url = "https://github.com/rustsec/advisory-db/issues/2199";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# custom_derive crate is unmaintained
+
+The `custom_derive` crate is no longer actively maintained. If you rely on 
this crate, consider switching to a maintained alternative.
+
+## Recommended alternatives
+
+- [`strum`](https://crates.io/crates/strum)
+- [`macro-attr`](https://crates.io/crates/macro-attr)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/difference/RUSTSEC-2020-0095.md 
new/advisory-db-20250913/crates/difference/RUSTSEC-2020-0095.md
--- old/advisory-db-20250507/crates/difference/RUSTSEC-2020-0095.md     
2025-05-06 23:08:48.000000000 +0200
+++ new/advisory-db-20250913/crates/difference/RUSTSEC-2020-0095.md     
2025-09-12 09:28:19.000000000 +0200
@@ -8,7 +8,6 @@
 
 [versions]
 patched = []
-unaffected = ["> 2.0.0"]
 ```
 
 # difference is unmaintained
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/fast-able/RUSTSEC-2025-0063.md 
new/advisory-db-20250913/crates/fast-able/RUSTSEC-2025-0063.md
--- old/advisory-db-20250507/crates/fast-able/RUSTSEC-2025-0063.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/fast-able/RUSTSEC-2025-0063.md      
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0063"
+package = "fast-able"
+date = "2025-04-25"
+categories = ["memory-corruption"]
+
+[affected.functions]
+"fast_able::vec::SyncVec::get_unchecked" = ["< 1.13.7"] 
+
+[versions]
+patched = [">= 1.13.7"]
+unaffected = []
+```
+
+# Possible unsound public API
+
+The public accessible struct SyncVec has a public safe method get_unchecked. 
It accept a parameter index and used in the get_unchecked without sufficient 
checks as mentioned 
[here](https://doc.rust-lang.org/std/primitive.slice.html#method.get_unchecked).
 
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/fast_id_map/RUSTSEC-2025-0034.md 
new/advisory-db-20250913/crates/fast_id_map/RUSTSEC-2025-0034.md
--- old/advisory-db-20250507/crates/fast_id_map/RUSTSEC-2025-0034.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/fast_id_map/RUSTSEC-2025-0034.md    
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0034"
+package = "fast_id_map"
+date = "2025-05-06"
+informational = "unsound"
+url = "https://github.com/Bruce0203/fast_map";
+categories = ["memory-corruption"]
+
+[affected.functions]
+"fast_id_map::FastMap::get" = ["<= 0.1.0"]
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# soundness issue and unmaintained
+`FastMap::get()` lacks sufficient checks to its parameter index and is used to 
unsafely get a `Vec` element.
+
+`fast_id_map` is unmaintained.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/fuser/RUSTSEC-2021-0154.md 
new/advisory-db-20250913/crates/fuser/RUSTSEC-2021-0154.md
--- old/advisory-db-20250507/crates/fuser/RUSTSEC-2021-0154.md  1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/fuser/RUSTSEC-2021-0154.md  2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0154"
+package = "fuser"
+date = "2021-09-10"
+url = "https://github.com/cberner/fuser/pull/390";
+references = ["https://github.com/libfuse/libfuse/pull/1330";]
+informational = "unsound"
+categories = ["code-execution"]
+keywords = ["fuse"]
+license = "CC0-1.0"
+
+[affected.functions]
+"fuser::Session::new" = [">= 0.5.0"]
+
+[versions]
+patched = [">= 1.2.0"]
+```
+
+# Uninitalized memory read & leak caused by fuser crate
+
+During creation of new libfuse session with `fuse_session_new` operation list 
was passed as NULL incorrectly. libfuse expects this argument to always point 
to list of operations. This caused uninitialized memory read and leaks in 
libfuse.so
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/fxhash/RUSTSEC-2025-0057.md 
new/advisory-db-20250913/crates/fxhash/RUSTSEC-2025-0057.md
--- old/advisory-db-20250507/crates/fxhash/RUSTSEC-2025-0057.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/fxhash/RUSTSEC-2025-0057.md 2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0057"
+package = "fxhash"
+date = "2025-09-05"
+url = "https://github.com/cbreeden/fxhash/issues/20";
+informational = "unmaintained"
+
+[versions]
+patched = []
+
+```
+# fxhash - no longer maintained
+
+The fxhash crate is no longer maintained.
+
+The repository is stale and owner is no longer active on GitHub.
+
+Please take a look at [rustc-hash](https://github.com/rust-lang/rustc-hash) 
instead.
+```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/google-apis-common/RUSTSEC-2025-0066.md 
new/advisory-db-20250913/crates/google-apis-common/RUSTSEC-2025-0066.md
--- old/advisory-db-20250507/crates/google-apis-common/RUSTSEC-2025-0066.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/google-apis-common/RUSTSEC-2025-0066.md     
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0066"
+package = "google-apis-common"
+date = "2025-09-09"
+url = "https://crates.io/crates/google-apis-common";
+informational = "unmaintained"
+references = ["https://github.com/Byron/google-apis-rs/discussions/559";]
+
+[versions]
+patched = []
+```
+
+# The `google-apis-rs` project is now unmaintained
+
+Instead, please start using and migrate to the [official Google Rust 
bindings](https://github.com/googleapis/google-cloud-rust).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/id-map/RUSTSEC-2025-0050.md 
new/advisory-db-20250913/crates/id-map/RUSTSEC-2025-0050.md
--- old/advisory-db-20250507/crates/id-map/RUSTSEC-2025-0050.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/id-map/RUSTSEC-2025-0050.md 2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0050"
+package = "id-map"
+date = "2025-08-14"
+
+url = "https://github.com/andrewhickman/id-map/issues/4";
+categories = ["memory-corruption"]
+keywords = ["memory-safety", "uninitialized-memory"]
+
+[affected.functions]
+"id_map::IdMap::from_iter" = [">= 0.1.6, <= 0.2.1"]
+
+[versions]
+patched = [">= 0.2.2"]
+unaffected = ["< 0.1.6"]
+```
+
+# IdMap::from_iter may lead to uninitialized memory being freed on drop
+
+Due to a flaw in the constructor `id_map::IdMap::from_iter`, ill-formed 
objects may be created in which the amount of actually initialized memory is 
less than what is expected by the fields of `IdMap`. Specifically, the field 
`ids` is initialized based on the capacity of the vector `values`, which is 
constructed from the provided iterator. However, the length of this vector may 
be smaller than its capacity.
+
+In such cases, when the resulting `IdMap` is dropped, its destructor 
incorrectly assumes that `values` contains `ids.len() == values.capacity()` 
initialized elements and attempts to iterate over and drop them. This leads to 
dereferencing and attempting to free uninitialized memory, resulting in 
undefined behavior and potential segmentation faults.
+
+The bug was fixed in commit `fab6922`, and all unsafe code was removed from 
the crate.
+
+Note that the maintainer recommends using the following alternatives:
+- [slab](https://crates.io/crates/slab)
+- [slotmap](https://crates.io/crates/slotmap)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/iron/RUSTSEC-2025-0061.md 
new/advisory-db-20250913/crates/iron/RUSTSEC-2025-0061.md
--- old/advisory-db-20250507/crates/iron/RUSTSEC-2025-0061.md   1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/iron/RUSTSEC-2025-0061.md   2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0061"
+package = "iron"
+date = "2025-09-08"
+url = "https://github.com/rustsec/advisory-db/issues/1424";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# iron crate is unmaintained
+
+The `iron` crate is no longer actively maintained.  If you rely on this crate, 
consider switching to a maintained alternative.
+
+## Recommended alternatives
+
+See [this 
comparison](https://github.com/flosse/rust-web-framework-comparison#server-frameworks)
 for popular alternatives.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/libyml/RUSTSEC-2025-0067.md 
new/advisory-db-20250913/crates/libyml/RUSTSEC-2025-0067.md
--- old/advisory-db-20250507/crates/libyml/RUSTSEC-2025-0067.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/libyml/RUSTSEC-2025-0067.md 2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0067"
+package = "libyml"
+date = "2025-09-11"
+url = "https://github.com/rustsec/advisory-db/issues/2395";
+informational = "unsound"
+
+[versions]
+patched = []
+```
+
+# `libyml::string::yaml_string_extend` is unsound and unmaintained
+
+In version 0.0.4, `libyml::string::yaml_string_extend` was revised resulting 
in undefined behaviour, which is unsound.
+
+The GitHub project for `libyml` was archived after unsoundness issues were 
raised.
+
+If you rely on this crate, it is highly recommended switching to a maintained 
alternative.
+
+## Recommended alternatives
+
+- [`libyaml-safer`](https://crates.io/crates/libyaml-safer) 
+- [`unsafe-libyaml-norway`](https://crates.io/crates/unsafe-libyaml-norway) - 
Maintained fork of `unsafe-libyaml`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/macroquad/RUSTSEC-2025-0035.md 
new/advisory-db-20250913/crates/macroquad/RUSTSEC-2025-0035.md
--- old/advisory-db-20250507/crates/macroquad/RUSTSEC-2025-0035.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/macroquad/RUSTSEC-2025-0035.md      
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0035"
+package = "macroquad"
+date = "2025-04-23"
+informational = "unsound"
+references = [
+    "https://github.com/not-fl3/macroquad/issues/333";,
+    "https://github.com/not-fl3/macroquad/issues/634";,
+    "https://github.com/not-fl3/macroquad/issues/746";,
+    "https://github.com/not-fl3/macroquad/issues/723";,
+]
+
+categories = ["memory-corruption"]
+
+# Freeform keywords which describe this vulnerability, similar to Cargo 
(optional)
+keywords = ["buffer overflow", "use-after-free", "undefined behavior"]
+
+[versions]
+patched = []
+```
+
+# Multiple soundness issues in `macroquad`
+
+Several soundness issues have been reported. Resolving them doesn't seem to be 
considered a priority. In particular, unprincipled use of
+mutable statics is pervasive throughout the library, making it possible to 
cause use-after-free in safe code.
+
+Currently, no fixed version is available.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/matrix-sdk-base/RUSTSEC-2025-0065.md 
new/advisory-db-20250913/crates/matrix-sdk-base/RUSTSEC-2025-0065.md
--- old/advisory-db-20250507/crates/matrix-sdk-base/RUSTSEC-2025-0065.md        
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/matrix-sdk-base/RUSTSEC-2025-0065.md        
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0065"
+package = "matrix-sdk-base"
+date = "2025-09-11"
+url = 
"https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-qhj8-q5r6-8q6j";
+aliases = ["CVE-2025-59047", "GHSA-qhj8-q5r6-8q6j"]
+
+[affected.functions]
+"matrix_sdk_base::RoomMember::normalized_power_level" = ["<= 0.14.0"]
+
+[versions]
+patched = [">= 0.14.1"]
+```
+
+# matrix-sdk-base: Panic in the `RoomMember::normalized_power_level()` method
+
+In matrix-sdk-base before 0.14.1, calling the
+`RoomMember::normalized_power_level()` method can cause a panic if a room 
member
+has a power level of `Int::Min`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/matrix-sdk-crypto/RUSTSEC-2025-0041.md 
new/advisory-db-20250913/crates/matrix-sdk-crypto/RUSTSEC-2025-0041.md
--- old/advisory-db-20250507/crates/matrix-sdk-crypto/RUSTSEC-2025-0041.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/matrix-sdk-crypto/RUSTSEC-2025-0041.md      
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0041"
+package = "matrix-sdk-crypto"
+date = "2025-06-11"
+url = 
"https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w";
+aliases = ["CVE-2025-48937", "GHSA-x958-rvg6-956w"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"
+
+[versions]
+patched = [">= 0.11.1"]
+unaffected = ["< 0.8.0"]
+```
+
+# matrix-sdk-crypto vulnerable to encrypted event sender spoofing by 
homeserver administrator
+
+matrix-sdk-crypto versions 0.8.0 up to and including 0.11.0 does not correctly 
validate
+the sender of an encrypted event. Accordingly, a malicious homeserver operator
+can modify events served to clients, making those events appear to the 
recipient
+as if they were sent by another user.
+
+Although the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we
+consider this a High severity security issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/matrix-sdk-sqlite/RUSTSEC-2025-0043.md 
new/advisory-db-20250913/crates/matrix-sdk-sqlite/RUSTSEC-2025-0043.md
--- old/advisory-db-20250507/crates/matrix-sdk-sqlite/RUSTSEC-2025-0043.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/matrix-sdk-sqlite/RUSTSEC-2025-0043.md      
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0043"
+package = "matrix-sdk-sqlite"
+date = "2025-07-11"
+url = 
"https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-275g-g844-73jh";
+aliases = ["CVE-2025-53549", "GHSA-275g-g844-73jh"]
+
+categories = ["format-injection"]
+keywords = ["sql-injection"]
+
+[affected.functions]
+"matrix_sdk_sqlite::SqliteEventCacheStore::find_event_relations" = [">= 
0.11.0"]
+
+[versions]
+patched = [">= 0.13.0"]
+unaffected = ["< 0.11.0"]
+```
+
+# matrix-sdk-sqlite: SQL injection vulnerability in 
`SqliteEventCacheStore::find_event_with_relations`
+
+The `SqliteEventCacheStore::find_event_with_relations` function constructs SQL
+queries using `format!()` with unescaped input, allowing an attacker to inject
+arbitrary SQL. This results in a SQL injection vulnerability.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/paste/RUSTSEC-2024-0436.md 
new/advisory-db-20250913/crates/paste/RUSTSEC-2024-0436.md
--- old/advisory-db-20250507/crates/paste/RUSTSEC-2024-0436.md  2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/crates/paste/RUSTSEC-2024-0436.md  2025-09-12 
09:28:19.000000000 +0200
@@ -14,3 +14,7 @@
 
 The creator of the crate `paste` has stated in the 
[`README.md`](https://github.com/dtolnay/paste/blob/master/README.md) 
 that this project is not longer maintained as well as archived the repository
+
+## Possible Alternative(s)
+
+- [pastey](https://crates.io/crates/pastey), a fork of paste and is aimed to 
be a drop-in replacement with additional features for paste crate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/pingora-core/RUSTSEC-2025-0037.md 
new/advisory-db-20250913/crates/pingora-core/RUSTSEC-2025-0037.md
--- old/advisory-db-20250507/crates/pingora-core/RUSTSEC-2025-0037.md   
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/pingora-core/RUSTSEC-2025-0037.md   
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0037"
+package = "pingora-core"
+date = "2025-05-22"
+url = 
"https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/";
+keywords = ["request-smuggling", "cache-poisoning"]
+aliases = ["CVE-2025-4366"]
+# cvss = "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"
+
+[versions]
+patched = [">= 0.5.0"]
+unaffected = []
+
+```
+
+# Pingora Request Smuggling and Cache Poisoning
+
+Pingora versions prior to 0.5.0 which used the caching functionality in 
pingora-proxy did not properly drain the downstream request body on cache hits.
+
+This allows an attacker to craft malicious HTTP/1.1 requests which could lead 
to request smuggling or cache poisoning.
+
+This flaw was corrected in commit fda3317ec822678564d641e7cf1c9b77ee3759ff by 
ensuring that the downstream request body is always drained before a connection 
can be reused.
+
+See [the blog 
post](https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/)
 for more information.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/scanner/RUSTSEC-2025-0033.md 
new/advisory-db-20250913/crates/scanner/RUSTSEC-2025-0033.md
--- old/advisory-db-20250507/crates/scanner/RUSTSEC-2025-0033.md        
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/scanner/RUSTSEC-2025-0033.md        
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0033"
+package = "scanner"
+date = "2025-03-27"
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["out-of-bounds read"]
+url = "https://github.com/pombredanne/scanner-rs/pull/1";
+
+[affected.functions]
+"scanner::Match::get" = ["<= 0.1.0"]
+"scanner::Match::ptr" = ["<= 0.1.0"]
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# Public API without sufficient bounds checking
+
+`Match::get()` and `Match::ptr()` lack sufficient bounds checks, leading to 
potential out of bounds reads.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/scratchpad/RUSTSEC-2025-0049.md 
new/advisory-db-20250913/crates/scratchpad/RUSTSEC-2025-0049.md
--- old/advisory-db-20250507/crates/scratchpad/RUSTSEC-2025-0049.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/scratchpad/RUSTSEC-2025-0049.md     
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0049"
+package = "scratchpad"
+date = "2025-08-14"
+
+url = "https://github.com/okready/scratchpad/issues/2";
+categories = ["memory-corruption"]
+keywords = ["memory-safety", "buffer-overflow", "raw-pointer"]
+
+[affected.functions]
+"scratchpad::Tracking::get" = ["<= 1.3.1"]
+"scratchpad::Tracking::set" = ["<= 1.3.1"]
+
+[versions]
+patched = []
+```
+
+# User-defined implementations of the safe trait scratchpad::Tracking can 
cause heap buffer overflows
+
+The `get` and `set` methods of the public trait `scratchpad::Tracking` 
interact with unsafe code regions in the crate, and they influence the 
computation of addresses returned as raw pointers. However, the trait itself is 
not marked as unsafe, meaning users may provide custom implementations under 
the assumption that the crate upholds all safety guarantees.
+
+This becomes problematic because even safe implementations of `get` and 
`set`-written without using any unsafe code-can still result in ill-formed raw 
pointers. These pointers may later be dereferenced within safe APIs of the 
crate (e.g., `marker::MarkerBack::allocate_slice_copy`), potentially leading to 
arbitrary memory access or heap buffer overflows.
+
+According to the [penultimate 
commit](https://github.com/okready/scratchpad/commit/957dee1a3902f48600b06910e8e0b1d5ee7dab83),
 the crate is in maintenance mode awaiting a cleanup that will reduce the area 
of unsafe code. Note that the last commits to the repository are from 4 years 
ago.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/serde_yml/RUSTSEC-2025-0068.md 
new/advisory-db-20250913/crates/serde_yml/RUSTSEC-2025-0068.md
--- old/advisory-db-20250507/crates/serde_yml/RUSTSEC-2025-0068.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/serde_yml/RUSTSEC-2025-0068.md      
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0068"
+package = "serde_yml"
+date = "2025-09-11"
+url = "https://github.com/rustsec/advisory-db/issues/2395";
+informational = "unsound"
+
+[versions]
+patched = []
+```
+
+# serde_yml crate is unsound and unmaintained
+
+Using `serde_yml::ser::Serializer.emitter` can cause a segmentation fault, 
which is unsound.
+
+The GitHub project for `serde_yml` was archived after unsoundness issues were 
raised.
+
+If you rely on this crate, it is highly recommended switching to a maintained 
alternative.
+
+## Recommended alternatives
+
+- [`serde_norway`](https://crates.io/crates/serde_norway) - Maintained fork of 
`serde_yaml`, using `unsafe-libyaml-norway`
+- [`serde_yaml_ng`](https://crates.io/crates/serde_yaml_ng) - Maintained fork 
of `serde_yaml`, using unmaintained `unsafe-libyaml`
+
+## Incomplete pure Rust alternatives
+
+These implementation do not rely on C `libyaml`.
+
+- [`serde_yaml2`](https://crates.io/crates/serde_yaml2)
+- [`yaml-peg`](https://crates.io/crates/yaml-peg)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/servo-fontconfig/RUSTSEC-2025-0059.md 
new/advisory-db-20250913/crates/servo-fontconfig/RUSTSEC-2025-0059.md
--- old/advisory-db-20250507/crates/servo-fontconfig/RUSTSEC-2025-0059.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/servo-fontconfig/RUSTSEC-2025-0059.md       
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0059"
+package = "servo-fontconfig"
+date = "2025-09-08"
+url = "https://github.com/rustsec/advisory-db/issues/1998";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# servo-fontconfig crate is unmaintained
+
+The `servo-fontconfig` crate is no longer actively maintained.  If you rely on 
this crate, consider switching to a maintained alternative.
+
+## Recommended alternatives
+
+- [`fontconfig-rs`](https://crates.io/crates/fontconfig-rs)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/slab/RUSTSEC-2025-0047.md 
new/advisory-db-20250913/crates/slab/RUSTSEC-2025-0047.md
--- old/advisory-db-20250507/crates/slab/RUSTSEC-2025-0047.md   1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/slab/RUSTSEC-2025-0047.md   2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0047"
+package = "slab"
+aliases = ["CVE-2025-55159", "GHSA-qx2v-8332-m4fv"]
+date = "2025-08-12"
+url = 
"https://github.com/tokio-rs/slab/security/advisories/GHSA-qx2v-8332-m4fv";
+references = ["https://github.com/tokio-rs/slab/pull/152";]
+keywords = ["memory-exposure", "bounds-check"]
+
+[versions]
+patched = [">= 0.4.11"]
+unaffected = ["< 0.4.10"]
+
+[affected.functions]
+"slab::Slab::get_disjoint_mut" = ["= 0.4.10"]
+```
+
+# Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
+
+## Impact
+The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices 
were within the slab's capacity instead of its length, allowing access to 
uninitialized memory. This could lead to undefined behavior or potential 
crashes.
+
+## Patches
+This has been fixed in slab v0.4.11.
+
+## Workarounds
+Avoid using `get_disjoint_mut` with indices that might be beyond the slab's 
actual length, or upgrade to v0.4.11 or later.
+
+## References
+* 
[https://github.com/tokio-rs/slab/pull/152](https://github.com/tokio-rs/slab/pull/152)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/slice-ring-buffer/RUSTSEC-2025-0044.md 
new/advisory-db-20250913/crates/slice-ring-buffer/RUSTSEC-2025-0044.md
--- old/advisory-db-20250507/crates/slice-ring-buffer/RUSTSEC-2025-0044.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/slice-ring-buffer/RUSTSEC-2025-0044.md      
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0044"
+package = "slice-ring-buffer"
+date = "2025-06-16"
+
+url = "https://github.com/LiquidityC/slice_ring_buffer/issues/12";
+categories = ["memory-corruption"]
+keywords = ["memory-safety", "double-free"]
+
+[affected.functions]
+"slice_ring_buffer::SliceRingBuffer::extend_from_slice" = ["<= 0.3.4"]
+"slice_ring_buffer::SliceRingBuffer::shrink_to_fit" = ["<= 0.3.4"]
+"slice_ring_buffer::SliceRingBuffer::insert" = ["<= 0.3.4"]
+"slice_ring_buffer::IntoIter::clone" = ["<= 0.3.4"]
+
+[versions]
+patched = []
+```
+
+# Four unique double-free vulnerabilities triggered via safe APIs
+
+The crate [`slice-ring-buffer`](https://crates.io/crates/slice-ring-buffer) 
was developed as a fork of 
[`slice-deque`](https://crates.io/crates/slice-deque) to continue maintenance 
and provide security patches, since the latter has been officially unmaintained 
([RUSTSEC-2020-0158](https://rustsec.org/advisories/RUSTSEC-2020-0158.html)).
+
+While `slice-ring-buffer` has addressed some previously reported memory safety 
issues inherited from its fork origin 
([RUSTSEC-2021-0047](https://rustsec.org/advisories/RUSTSEC-2021-0047.html)), 
it still retains multiple unresolved memory corruption vulnerabilities.
+
+Specifically, we have discovered four new memory safety bugs, each resulting 
in double-free violations that can occur when only safe APIs are invoked. These 
vulnerabilities correspond to four distinct safe APIs in the crate, each 
exposing unsound and vulnerable behavior due to incorrect usage of unsafe code 
internally.
+
+Unfortunately, the maintainer doesn't have much availability to resolve these 
issues so there's no concrete timeline for fixes. Community contributions 
towards fixing these vulnerabilities would be much appreciated.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/static-alloc/RUSTSEC-2025-0042.md 
new/advisory-db-20250913/crates/static-alloc/RUSTSEC-2025-0042.md
--- old/advisory-db-20250507/crates/static-alloc/RUSTSEC-2025-0042.md   
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/static-alloc/RUSTSEC-2025-0042.md   
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,38 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0042"
+package = "static-alloc"
+date = "2025-07-11"
+url = "https://github.com/197g/static-alloc/issues/81";
+informational = "unsound"
+categories = ["memory-exposure", "memory-corruption"]
+keywords = ["initialization"]
+
+[versions]
+patched = [">= 0.2.6"]
+unaffected = ["<= 0.2.1"]
+
+[affected]
+
+[affected.functions]
+"static_alloc::unsync::MemBump::new" = [">= 0.2.2"]
+```
+
+# Uninitialized read after allocating MemBump
+
+The affected function, `MemBump::new()`, would allocate memory without
+initializing it. Subsequently calling the created value's various `alloc`
+methods would then read and write the start of that memory as a `Cell` which is
+undefined behavior. Instead, it should zero initialize the start of the
+allocated memory.
+
+For instance, some values could violate the internal invariants of the type and
+cause an assertion failure. Nevertheless, no deterministic read is known to
+cause further uninitialized memory to be exposed.
+
+Affected downstream users that can not upgrade are advised to call
+`MemBump::reset` immediately after allocation to manually perform the missing
+write of the counter best-as-possible.
+
+The flaw was corrected in commit d8d6a7d096d3aaafd963b356a8f1bbd8d26fd967 by
+zeroing the Cell at the start of the allocated memory.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/static_cell/RUSTSEC-2025-0045.md 
new/advisory-db-20250913/crates/static_cell/RUSTSEC-2025-0045.md
--- old/advisory-db-20250507/crates/static_cell/RUSTSEC-2025-0045.md    
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/static_cell/RUSTSEC-2025-0045.md    
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0045"
+package = "static_cell"
+date = "2025-07-17"
+url = "https://github.com/embassy-rs/static-cell/issues/19";
+informational = "unsound"
+categories = ["memory-exposure", "memory-corruption"]
+keywords = ["send", "thread-safety"]
+
+[versions]
+patched = [">= 2.1.1"]
+unaffected = ["<= 2.0.0"]
+
+[affected]
+
+[affected.functions]
+"static_cell::ConstStaticCell::new" = ["= 2.1.0"]
+```
+
+# ConstStaticCell could have been used to pass non-Send values to another 
thread
+
+`ConstStaticCell<T>` could have been used to pass non-`Send` values to another 
thread, because `T` was not required to be `Send` while `ConstStaticCell` is 
`Send`.
+
+This was corrected by introducing a `T: Send` bound.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/surf/RUSTSEC-2025-0036.md 
new/advisory-db-20250913/crates/surf/RUSTSEC-2025-0036.md
--- old/advisory-db-20250507/crates/surf/RUSTSEC-2025-0036.md   1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/surf/RUSTSEC-2025-0036.md   2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0036"
+package = "surf"
+date = "2025-05-17"
+references = ["https://github.com/http-rs/surf/issues/352";]
+informational = "unmaintained"
+categories = []
+
+[versions]
+patched = []
+```
+
+# surf is unmaintained
+
+The developer has indicated that the crate is unmaintained.
+
+The last release is over three years old (from 2021), the crate depends on the
+deprecated `async-std` crate and on a very old version of `rustls` for TLS
+support.
+
+## Possible alternatives
+
+- [reqwest](https://crates.io/crates/reqwest)
+- [ureq](https://crates.io/crates/ureq)
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/tonic/RUSTSEC-2024-0376.md 
new/advisory-db-20250913/crates/tonic/RUSTSEC-2024-0376.md
--- old/advisory-db-20250507/crates/tonic/RUSTSEC-2024-0376.md  2025-05-06 
23:08:48.000000000 +0200
+++ new/advisory-db-20250913/crates/tonic/RUSTSEC-2024-0376.md  2025-09-12 
09:28:19.000000000 +0200
@@ -10,7 +10,7 @@
 
 [versions]
 patched = [">= 0.12.3"]
-unaffected = ["<= 0.11.0"]
+unaffected = ["< 0.12.2"]
 ```
 
 # Remotely exploitable Denial of Service in Tonic
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/toodee/RUSTSEC-2025-0062.md 
new/advisory-db-20250913/crates/toodee/RUSTSEC-2025-0062.md
--- old/advisory-db-20250507/crates/toodee/RUSTSEC-2025-0062.md 1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/toodee/RUSTSEC-2025-0062.md 2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,30 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0062"
+package = "toodee"
+date = "2025-05-22"
+
+url = "https://github.com/antonmarsden/toodee/issues/26";
+categories = ["memory-corruption", "memory-exposure"]
+keywords = ["memory-safety", "buffer-overflow"]
+
+[versions]
+patched = [">= 0.6.0"]
+unaffected = ["< 0.2.0"]
+
+[affected.functions]
+"toodee::DrainCol::drop" = [">= 0.2.0, <= 0.5.0"]
+```
+
+# Heap Buffer Overflow in the DrainCol Destructor
+
+An off-by-one error in the `DrainCol::drop` destructor could cause an unsafe 
memory copy
+operation to exceed the bounds of the associated vector.
+
+The error was related to the size of the data being copied in one of the 
`ptr::copy`
+invocations inside the destructor.
+
+When removing the first column from a TooDee object, the DrainCol return 
object could cause
+a heap buffer overflow vulnerability when it is dropped.
+
+The issue was fixed in commit `e6e16d5` by reducing the copied size by one.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/tracing-subscriber/RUSTSEC-2025-0055.md 
new/advisory-db-20250913/crates/tracing-subscriber/RUSTSEC-2025-0055.md
--- old/advisory-db-20250507/crates/tracing-subscriber/RUSTSEC-2025-0055.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/tracing-subscriber/RUSTSEC-2025-0055.md     
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0055"
+package = "tracing-subscriber"
+date = "2025-08-29"
+url = "https://github.com/advisories/GHSA-xwfj-jgwm-7wp5";
+categories = ["format-injection"]
+aliases = ["CVE-2025-58160", "GHSA-xwfj-jgwm-7wp5"]
+
+[versions]
+patched = [">=0.3.20"]
+```
+
+# Logging user input may result in poisoning logs with ANSI escape sequences
+
+Previous versions of tracing-subscriber were vulnerable to ANSI escape 
sequence injection attacks. Untrusted user input containing ANSI escape 
sequences could be injected into terminal output when logged, potentially 
allowing attackers to:
+
+- Manipulate terminal title bars
+- Clear screens or modify terminal display
+- Potentially mislead users through terminal manipulation
+
+In isolation, impact is minimal, however security issues have been found in 
terminal emulators that enabled an attacker to use ANSI escape sequences via 
logs to exploit vulnerabilities in the terminal emulator.
+
+This was patched in [PR #3368](https://github.com/tokio-rs/tracing/pull/3368) 
to escape ANSI control characters from user input.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/tsify-next/RUSTSEC-2025-0048.md 
new/advisory-db-20250913/crates/tsify-next/RUSTSEC-2025-0048.md
--- old/advisory-db-20250507/crates/tsify-next/RUSTSEC-2025-0048.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/tsify-next/RUSTSEC-2025-0048.md     
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0048"
+package = "tsify-next"
+date = "2025-07-29"
+url = "https://github.com/siefkenj/tsify/pull/56";
+references = ["https://github.com/siefkenj/tsify/issues/57";]
+informational = "unmaintained"
+[versions]
+patched = []
+```
+
+# tsify-next is unmaintained, use tsify instead
+
+The `tsify-next` crate is not maintained any more; use 
[`tsify`](https://crates.io/crates/tsify) instead.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/users/RUSTSEC-2025-0040.md 
new/advisory-db-20250913/crates/users/RUSTSEC-2025-0040.md
--- old/advisory-db-20250507/crates/users/RUSTSEC-2025-0040.md  1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/users/RUSTSEC-2025-0040.md  2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,34 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0040"
+package = "users"
+date = "2025-01-15"
+url = "https://github.com/ogham/rust-users/issues/44";
+categories = ["privilege-escalation"]
+
+[versions]
+patched = []
+unaffected = ["< 0.8.0"]
+```
+
+# `root` appended to group listings
+
+Affected versions append `root` to group listings, unless the correct listing
+has exactly 1024 groups.
+
+This affects both:
+
+- The supplementary groups of a user
+- The group access list of the current process
+
+If the caller uses this information for access control, this may lead to
+privilege escalation.
+
+This crate is not currently maintained, so a patched version is not available.
+
+Versions older than 0.8.0 do not contain the affected functions, so downgrading
+to them is a workaround.
+
+## Recommended alternatives
+- [`uzers`](https://crates.io/crates/uzers) (an actively maintained fork of 
the `users` crate)
+- [`sysinfo`](https://crates.io/crates/sysinfo)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/wasmtime/RUSTSEC-2025-0046.md 
new/advisory-db-20250913/crates/wasmtime/RUSTSEC-2025-0046.md
--- old/advisory-db-20250507/crates/wasmtime/RUSTSEC-2025-0046.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/wasmtime/RUSTSEC-2025-0046.md       
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0046"
+package = "wasmtime"
+date = "2025-07-18"
+url = 
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc";
+categories = []
+keywords = []
+aliases = ["CVE-2025-53901", "GHSA-fm79-3f68-h2fc"]
+license = "CC0-1.0"
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+
+[versions]
+patched = [">= 34.0.2", ">= 33.0.2, < 34.0.0", ">= 24.0.4, < 25.0.0"]
+unaffected = ["< 10.0.0"]
+```
+
+# Host panic with `fd_renumber` WASIp1 function
+
+This is an entry in the RustSec database for the Wasmtime security advisory
+located at
+https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc.
+For more information see the GitHub-hosted security advisory.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/wasmtime-jit-debug/RUSTSEC-2024-0442.md 
new/advisory-db-20250913/crates/wasmtime-jit-debug/RUSTSEC-2024-0442.md
--- old/advisory-db-20250507/crates/wasmtime-jit-debug/RUSTSEC-2024-0442.md     
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/wasmtime-jit-debug/RUSTSEC-2024-0442.md     
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,30 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0442"
+package = "wasmtime-jit-debug"
+date = "2024-07-06"
+url = "https://github.com/bytecodealliance/wasmtime/issues/8905";
+informational = "unsound"
+categories = ["memory-exposure"]
+
+[affected]
+functions = { 
"wasmtime_jit_debug::perf_jitdump::JitDumpFile::dump_code_load_record" = ["<= 
24.0.0"] }
+
+[versions]
+patched = [">= 24.0.0"]
+```
+
+# Dump Undefined Memory by `JitDumpFile`
+
+The unsound function `dump_code_load_record` uses `from_raw_parts` to directly 
convert 
+the pointer `addr` and `len` into a slice without any validation and that 
memory block 
+would be dumped.
+
+Thus, the 'safe' function dump_code_load_record is actually 'unsafe' since it 
requires 
+the caller to guarantee that the addr is valid and len must not overflow.
+Otherwise, the function could dump the memory into file illegally, causing 
memory leak.
+
+> **Note**: this is an internal-only crate in the Wasmtime project not 
intended for
+external use and is more strongly signaled nowadays as of
+[bytecodealliance/wasmtime#10963](https://github.com/bytecodealliance/wasmtime/pull/10963).
+Please open an issue in Wasmtime if you're using this crate directly.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/webp/RUSTSEC-2024-0443.md 
new/advisory-db-20250913/crates/webp/RUSTSEC-2024-0443.md
--- old/advisory-db-20250507/crates/webp/RUSTSEC-2024-0443.md   1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/webp/RUSTSEC-2024-0443.md   2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0443"
+package = "webp"
+date = "2024-09-06"
+url = "https://github.com/jaredforth/webp/issues/40";
+categories = ["memory-exposure"]
+informational = "unsound"
+
+[versions]
+patched = [">= 0.3.1"]
+```
+
+# webp crate may expose memory contents when encoding an image
+
+Affected versions of this crate did not check that the input slice passed to 
`"webp::Encoder::encode()` is large enough for the specified image dimensions.
+
+If the input slice is too short, the library will read out of bounds of the 
buffer and encode other memory contents as an image, resulting in memory 
exposure or a segmentation fault.
+
+The flaw was corrected in [pull request 
#44](https://github.com/jaredforth/webp/pull/44) by always validating the input 
buffer size when constructing the encoder.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20250507/crates/wren_rust/RUSTSEC-2025-0064.md 
new/advisory-db-20250913/crates/wren_rust/RUSTSEC-2025-0064.md
--- old/advisory-db-20250507/crates/wren_rust/RUSTSEC-2025-0064.md      
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/wren_rust/RUSTSEC-2025-0064.md      
2025-09-12 09:28:19.000000000 +0200
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0064"
+package = "wren_rust"
+date = "2025-05-06"
+informational = "unsound"
+url = "https://docs.rs/wren_rust";
+categories = ["memory-corruption"]
+
+[affected.functions]
+"wren_rust::macros::_default_realloc" = ["<= 0.1.3"]
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# soundness issue and unmaintained
+`wren_rust::macros::_default_realloc()` lacks sufficient checks to it pointer 
parameter which passed into `free` and `realloc`
+
+`wren_rust` is unmaintained.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20250507/crates/xcb/RUSTSEC-2025-0051.md 
new/advisory-db-20250913/crates/xcb/RUSTSEC-2025-0051.md
--- old/advisory-db-20250507/crates/xcb/RUSTSEC-2025-0051.md    1970-01-01 
01:00:00.000000000 +0100
+++ new/advisory-db-20250913/crates/xcb/RUSTSEC-2025-0051.md    2025-09-12 
09:28:19.000000000 +0200
@@ -0,0 +1,32 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0051"
+package = "xcb"
+date = "2025-08-05"
+url = "https://github.com/rust-x-bindings/rust-xcb/issues/282";
+references = [
+  "https://github.com/rust-x-bindings/rust-xcb/issues/167";,
+  "https://github.com/rust-x-bindings/rust-xcb/pull/283";
+]
+informational = "unsound"
+
+[versions]
+patched = [">= 1.6.0"]
+
+[affected.functions]
+"xcb::Connection::connect_to_fd" = [">= 1.0.0-beta.0"]
+"xcb::Connection::connect_to_fd_with_extensions" = [">= 1.0.0-beta.0"]
+```
+
+# `xcb::Connection::connect_to_fd*` functions violate I/O safety
+
+The API of `xcb::Connection` has constructors which allow an arbitrary `RawFd`
+to be used as a socket connection. On either failure of these constructors or
+on the drop of `Connection`, it closes the associated file descriptor. Thus, a
+program which uses an `OwnedFd` (such as a `UnixStream`) as the file descriptor
+can close the file descriptor and continue to attempt using it or close an
+already-closed file descriptor, violating I/O safety.
+
+Starting in version 1.6.0, `xcb` provides `Connection::connect_with_fd` and
+`Connection::connect_with_fd_and_extensions` as safe alternatives and
+deprecates the problematic functions.

commit cargo-audit-advisory-db for openSUSE:Factory

Reply via email to