Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2021-11-12 15:59:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Fri Nov 12 15:59:22 2021 rev:15 rq:930998 version:20211112
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2021-11-03 17:26:54.501358305 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1890/cargo-audit-advisory-db.changes
2021-11-12 16:00:09.614589797 +0100
@@ -1,0 +2,15 @@
+Fri Nov 12 00:17:17 UTC 2021 - wbr...@suse.de
+
+- Update to version 20211112:
+ * Assigned RUSTSEC-2021-0122 to flatbuffers (#1100)
+ * Add `flatbuffers` advisory for flatbuffers#6627 (#1093)
+ * add cve info to advisories (#1099)
+ * Bump `rustsec-admin` to v0.5.3 (#1091)
+ * Add cvss information from nvd (#1085)
+ * Add missing method to time vulnerability (#1086)
+ * Add CVE alias for RUSTSEC-2021-0069 (#1087)
+ * Assigned RUSTSEC-2021-0121 to crypto2 (#1084)
+ * Unsound implementation of Chacha20 in crypto2 (#1072)
+ * Assigned RUSTSEC-2020-0159 to chrono (#1083)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20211103.tar.xz
New:
----
advisory-db-20211112.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.BHCaHC/_old 2021-11-12 16:00:10.070590008 +0100
+++ /var/tmp/diff_new_pack.BHCaHC/_new 2021-11-12 16:00:10.070590008 +0100
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20211103
+Version: 20211112
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.BHCaHC/_old 2021-11-12 16:00:10.102590022 +0100
+++ /var/tmp/diff_new_pack.BHCaHC/_new 2021-11-12 16:00:10.106590024 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20211103</param>
+ <param name="version">20211112</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">wbr...@suse.de</param>
++++++ advisory-db-20211103.tar.xz -> advisory-db-20211112.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20211103/.duplicate-id-guard
new/advisory-db-20211112/.duplicate-id-guard
--- old/advisory-db-20211103/.duplicate-id-guard 2021-10-22
16:28:51.000000000 +0200
+++ new/advisory-db-20211112/.duplicate-id-guard 2021-11-07
18:53:20.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-95115d8c9869b0a0e3e4bdf781cf094e564ece260a8f34a89b73c762c1eb72cd -
+9042bc5cd75d598f6aabe16f7a520b6886ac5abe65319eaee6cb8650f0e3085a -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/algorithmica/RUSTSEC-2021-0053.md
new/advisory-db-20211112/crates/algorithmica/RUSTSEC-2021-0053.md
--- old/advisory-db-20211103/crates/algorithmica/RUSTSEC-2021-0053.md
2021-10-22 16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/algorithmica/RUSTSEC-2021-0053.md
2021-11-07 18:53:20.000000000 +0100
@@ -5,6 +5,7 @@
date = "2021-03-07"
url = "https://github.com/AbrarNitk/algorithmica/issues/1";
categories = ["memory-corruption"]
+aliases = ["CVE-2021-31996"]
[versions]
patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/ammonia/RUSTSEC-2021-0074.md
new/advisory-db-20211112/crates/ammonia/RUSTSEC-2021-0074.md
--- old/advisory-db-20211103/crates/ammonia/RUSTSEC-2021-0074.md
2021-10-22 16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/ammonia/RUSTSEC-2021-0074.md
2021-11-07 18:53:20.000000000 +0100
@@ -6,6 +6,7 @@
url = "https://github.com/rust-ammonia/ammonia/pull/142";
categories = ["format-injection"]
keywords = ["html", "xss"]
+aliases = ["CVE-2021-38193"]
[versions]
patched = [">= 3.1.0", ">= 2.1.3, < 3.0.0"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/anymap/RUSTSEC-2021-0065.md
new/advisory-db-20211112/crates/anymap/RUSTSEC-2021-0065.md
--- old/advisory-db-20211103/crates/anymap/RUSTSEC-2021-0065.md 2021-10-22
16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/anymap/RUSTSEC-2021-0065.md 2021-11-07
18:53:20.000000000 +0100
@@ -5,6 +5,8 @@
date = "2021-05-07"
informational = "unmaintained"
url = "https://github.com/chris-morgan/anymap/issues/37";
+aliases = ["CVE-2021-38187"]
+
[versions]
patched = []
unaffected = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/ark-r1cs-std/RUSTSEC-2021-0075.md
new/advisory-db-20211112/crates/ark-r1cs-std/RUSTSEC-2021-0075.md
--- old/advisory-db-20211103/crates/ark-r1cs-std/RUSTSEC-2021-0075.md
2021-10-22 16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/ark-r1cs-std/RUSTSEC-2021-0075.md
2021-11-07 18:53:20.000000000 +0100
@@ -6,6 +6,7 @@
categories = ["crypto-failure"]
keywords = ["r1cs", "zksnark", "arkworks"]
url = "https://github.com/arkworks-rs/r1cs-std/pull/70";
+aliases = ["CVE-2021-38194"]
[versions]
patched = [">= 0.3.1"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/better-macro/RUSTSEC-2021-0077.md
new/advisory-db-20211112/crates/better-macro/RUSTSEC-2021-0077.md
--- old/advisory-db-20211103/crates/better-macro/RUSTSEC-2021-0077.md
2021-10-22 16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/better-macro/RUSTSEC-2021-0077.md
2021-11-07 18:53:20.000000000 +0100
@@ -6,6 +6,7 @@
url =
"https://github.com/raycar5/better-macro/blob/24ff1702397b9c19bbfa4c660e2316cd77d3b900/src/lib.rs#L36-L38";
categories = ["code-execution"]
keywords = ["rce", "proc-macro"]
+aliases = ["CVE-2021-38196"]
[affected]
functions = { "better_macro::println" = ["> 1.0.0"] }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/comrak/RUSTSEC-2021-0063.md
new/advisory-db-20211112/crates/comrak/RUSTSEC-2021-0063.md
--- old/advisory-db-20211103/crates/comrak/RUSTSEC-2021-0063.md 2021-10-22
16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/comrak/RUSTSEC-2021-0063.md 2021-11-07
18:53:20.000000000 +0100
@@ -6,6 +6,7 @@
url = "https://github.com/kivikakk/comrak/releases/tag/0.10.1";
categories = ["format-injection"]
keywords = ["xss"]
+aliases = ["CVE-2021-38186"]
[versions]
patched = [">= 0.10.1"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/flatbuffers/RUSTSEC-2021-0122.md
new/advisory-db-20211112/crates/flatbuffers/RUSTSEC-2021-0122.md
--- old/advisory-db-20211103/crates/flatbuffers/RUSTSEC-2021-0122.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20211112/crates/flatbuffers/RUSTSEC-2021-0122.md
2021-11-07 18:53:20.000000000 +0100
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0122"
+package = "flatbuffers"
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+date = "2021-10-31"
+url = "https://github.com/google/flatbuffers/issues/6627";
+
+[versions]
+patched = []
+```
+
+# Generated code can read and write out of bounds in safe code
+
+Code generated by flatbuffers' compiler is `unsafe` but not marked as such.
+See https://github.com/google/flatbuffers/issues/6627 for details.
+
+All users that use generated code by `flatbuffers` compiler are recommended to:
+1. not expose flatbuffer generated code as part of their public APIs
+2. audit their code and look for any usage of `follow`, `push`, or any method
that uses them
+ (e.g. `self_follow`).
+3. Carefuly go through the crates' documentation to understand which "safe"
APIs are not
+ intended to be used.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/iced-x86/RUSTSEC-2021-0068.md
new/advisory-db-20211112/crates/iced-x86/RUSTSEC-2021-0068.md
--- old/advisory-db-20211103/crates/iced-x86/RUSTSEC-2021-0068.md
2021-10-22 16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/iced-x86/RUSTSEC-2021-0068.md
2021-11-07 18:53:20.000000000 +0100
@@ -5,6 +5,7 @@
date = "2021-05-19"
url = "https://github.com/icedland/iced/issues/168";
keywords = ["soundness"]
+aliases = ["CVE-2021-38188"]
[affected]
functions = { "iced_x86::Decoder::new" = ["<= 1.10.3"] }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/libsecp256k1/RUSTSEC-2021-0076.md
new/advisory-db-20211112/crates/libsecp256k1/RUSTSEC-2021-0076.md
--- old/advisory-db-20211103/crates/libsecp256k1/RUSTSEC-2021-0076.md
2021-10-22 16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/libsecp256k1/RUSTSEC-2021-0076.md
2021-11-07 18:53:20.000000000 +0100
@@ -5,6 +5,8 @@
date = "2021-07-13"
url = "https://github.com/paritytech/libsecp256k1/pull/67";
categories = ["crypto-failure"]
+aliases = ["CVE-2021-38195"]
+
[versions]
patched = [">= 0.5.0"]
```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/nalgebra/RUSTSEC-2021-0070.md
new/advisory-db-20211112/crates/nalgebra/RUSTSEC-2021-0070.md
--- old/advisory-db-20211103/crates/nalgebra/RUSTSEC-2021-0070.md
2021-10-22 16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/nalgebra/RUSTSEC-2021-0070.md
2021-11-07 18:53:20.000000000 +0100
@@ -6,6 +6,7 @@
url = "https://github.com/dimforge/nalgebra/issues/883";
categories = ["memory-corruption", "memory-exposure"]
keywords = ["memory-safety"]
+aliases = ["CVE-2021-38190"]
[versions]
patched = [">= 0.27.1"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/prost-types/RUSTSEC-2021-0073.md
new/advisory-db-20211112/crates/prost-types/RUSTSEC-2021-0073.md
--- old/advisory-db-20211103/crates/prost-types/RUSTSEC-2021-0073.md
2021-10-22 16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/prost-types/RUSTSEC-2021-0073.md
2021-11-07 18:53:20.000000000 +0100
@@ -6,6 +6,7 @@
url = "https://github.com/tokio-rs/prost/issues/438";
categories = ["denial-of-service"]
keywords = ["denial-of-service"]
+aliases = ["CVE-2021-38192"]
[versions]
patched = [">= 0.8.0"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211103/crates/tokio/RUSTSEC-2021-0072.md
new/advisory-db-20211112/crates/tokio/RUSTSEC-2021-0072.md
--- old/advisory-db-20211103/crates/tokio/RUSTSEC-2021-0072.md 2021-10-22
16:28:51.000000000 +0200
+++ new/advisory-db-20211112/crates/tokio/RUSTSEC-2021-0072.md 2021-11-07
18:53:20.000000000 +0100
@@ -6,6 +6,7 @@
url = "https://github.com/tokio-rs/tokio/issues/3929";
categories = ["memory-corruption"]
keywords = ["race condition", "send"]
+aliases = ["CVE-2021-38191"]
[affected]
functions = { "tokio::task::JoinHandle::abort" = ["<= 1.8.0, >= 0.3.0"] }
