Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2023-02-23 16:29:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1706 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Thu Feb 23 16:29:21 2023 rev:29 rq:1067276 version:20230223
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2023-01-18 13:12:26.241242178 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1706/cargo-audit-advisory-db.changes
2023-02-23 16:53:28.181157874 +0100
@@ -1,0 +2,15 @@
+Thu Feb 23 00:12:48 UTC 2023 - william.br...@suse.com
+
+- Update to version 20230223:
+ * Assigned RUSTSEC-2022-0090 to libsqlite3-sys (#1607)
+ * Add sqlite advisory (#1599)
+ * Assigned RUSTSEC-2023-0014 to cortex-m-rt (#1606)
+ * Add soundness advisory for cortex-m-rt (#1601)
+ * Update RUSTSEC-2020-0097.md (#1600)
+ * Better docs (#1598)
+ * Assigned RUSTSEC-2020-0167 to pnet_packet (#1596)
+ * Fix some typos (#1593)
+ * Add advisory for pnet_packet (#1595)
+ * Update RUSTSEC-2020-0071.md (#1594)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20230117.tar.xz
New:
----
advisory-db-20230223.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.3nKmVQ/_old 2023-02-23 16:53:28.649160588 +0100
+++ /var/tmp/diff_new_pack.3nKmVQ/_new 2023-02-23 16:53:28.653160611 +0100
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20230117
+Version: 20230223
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.3nKmVQ/_old 2023-02-23 16:53:28.697160866 +0100
+++ /var/tmp/diff_new_pack.3nKmVQ/_new 2023-02-23 16:53:28.705160913 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20230117</param>
+ <param name="version">20230223</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">william.br...@suse.com</param>
++++++ advisory-db-20230117.tar.xz -> advisory-db-20230223.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230117/.duplicate-id-guard
new/advisory-db-20230223/.duplicate-id-guard
--- old/advisory-db-20230117/.duplicate-id-guard 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/.duplicate-id-guard 2023-02-14
13:38:31.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-47ac6576d0eaab6436fdc15b1625f5018bac1fdd0cc2add55d0c7b4f9e922ff1 -
+1d62e76ee351b7c3b8588635db0fe94bdf0aee8ff48199cb635aaf3468945844 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230117/EXAMPLE_ADVISORY.md
new/advisory-db-20230223/EXAMPLE_ADVISORY.md
--- old/advisory-db-20230117/EXAMPLE_ADVISORY.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/EXAMPLE_ADVISORY.md 2023-02-14
13:38:31.000000000 +0100
@@ -4,19 +4,21 @@
package = "crate-name"
date = "2020-01-31"
url = "https://example.com";
+# Valid categories: "code-execution", "crypto-failure", "denial-of-service",
"file-disclosure"
+# "format-injection", "memory-corruption", "memory-exposure",
"privilege-escalation"
categories = ["code-execution", "privilege-escalation"]
keywords = ["example", "freeform", "keywords"]
#aliases = ["CVE-YYYY-NNNN"]
#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
[versions]
-patched = [">= 1.2.3"]
-unaffected = ["0.1.2"]
+patched = [">= 1.2.3, < 1.3.0", ">= 1.3.4"]
+unaffected = ["<= 0.1.2"]
[affected]
#arch = ["x86"]
#os = ["windows"]
-functions = { "crate_name::MyStruct::vulnerable_fn" = ["< 1.2.3"] }
+#functions = { "crate_name::MyStruct::vulnerable_fn" = [">= 1.3.0, < 1.3.4"] }
```
# RustSec Advisory Template - Advisory Title Goes Here
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230117/HOWTO_UNMAINTAINED.md
new/advisory-db-20230223/HOWTO_UNMAINTAINED.md
--- old/advisory-db-20230117/HOWTO_UNMAINTAINED.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/HOWTO_UNMAINTAINED.md 2023-02-14
13:38:31.000000000 +0100
@@ -47,7 +47,7 @@
- Stale repository: no recent maintenance activity, including any of the
following: recent commits, responses from the author on open issues,
- crate releases, or other publically visible activity by the author.
+ crate releases, or other publicly visible activity by the author.
Inactivity over a period of 1 year or more is the preferred threshold.
- Contact attempts with the author made with no response. Ideally these
attempts are made via a public GitHub issue, so that issue can be
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230117/README.md
new/advisory-db-20230223/README.md
--- old/advisory-db-20230117/README.md 2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/README.md 2023-02-14 13:38:31.000000000 +0100
@@ -85,7 +85,6 @@
keywords = ["ssl", "mitm"]
# Vulnerability aliases, e.g. CVE IDs (optional but recommended)
-# Request a CVE for your RustSec vulns: https://iwantacve.org/
#aliases = ["CVE-2018-XXXX"]
# Related vulnerabilities (optional)
@@ -116,6 +115,8 @@
functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] }
# Versions which include fixes for this vulnerability (mandatory)
+# All selectors supported by Cargo are supported here:
+# https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
# use patched = [] e.g. in case of unmaintained where there is no fix
[versions]
patched = [">= 1.2.0"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/aliyun-oss-client/RUSTSEC-2022-0089.md
new/advisory-db-20230223/crates/aliyun-oss-client/RUSTSEC-2022-0089.md
--- old/advisory-db-20230117/crates/aliyun-oss-client/RUSTSEC-2022-0089.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/aliyun-oss-client/RUSTSEC-2022-0089.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0089"
+package = "aliyun-oss-client"
+date = "2022-11-19"
+url = "https://github.com/advisories/GHSA-3w3h-7xgx-grwc";
+categories = ["crypto-failure"]
+aliases = ["CVE-2022-39397", "GHSA-3w3h-7xgx-grwc"]
+cvss = "CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"
+
+[versions]
+patched = [">= 0.8.1"]
+```
+
+# `aliyun-oss-client` secret exposure
+
+The `aliyun-oss-client` unintentionally divulges the authentication secret.
+
+This bug was fixed in
[this](https://github.com/tu6ge/oss-rs/commit/e4553f7d74fce682d802f8fb073943387796df29)
commit by limiting the concerned traits to be `pub` only within the crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/ammonia/RUSTSEC-2021-0074.md
new/advisory-db-20230223/crates/ammonia/RUSTSEC-2021-0074.md
--- old/advisory-db-20230117/crates/ammonia/RUSTSEC-2021-0074.md
2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/ammonia/RUSTSEC-2021-0074.md
2023-02-14 13:38:31.000000000 +0100
@@ -19,7 +19,7 @@
are not allowed, the underlying HTML parser still treats them differently.
Running cleanup without accounting for these differing namespaces resulted in
an "impossible"
DOM, which appeared "safe" when examining the DOM tree, but when serialized
and deserialized,
-could be exploited to inject abitrary markup.
+could be exploited to inject arbitrary markup.
To exploit this, the application using this library must allow a tag that is
parsed as raw text in HTML.
These [elements] are:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/ansi_term/RUSTSEC-2021-0139.md
new/advisory-db-20230223/crates/ansi_term/RUSTSEC-2021-0139.md
--- old/advisory-db-20230117/crates/ansi_term/RUSTSEC-2021-0139.md
2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/ansi_term/RUSTSEC-2021-0139.md
2023-02-14 13:38:31.000000000 +0100
@@ -11,7 +11,7 @@
```
# ansi_term is Unmaintained
-The maintainer has adviced that this crate is deprecated and will not receive
any maintenance.
+The maintainer has advised that this crate is deprecated and will not receive
any maintenance.
The crate does not seem to have much dependencies and may or may not be ok to
use as-is.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/arrow/RUSTSEC-2021-0117.md
new/advisory-db-20230223/crates/arrow/RUSTSEC-2021-0117.md
--- old/advisory-db-20230117/crates/arrow/RUSTSEC-2021-0117.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/arrow/RUSTSEC-2021-0117.md 2023-02-14
13:38:31.000000000 +0100
@@ -15,4 +15,4 @@
`DecimalArray` performs insufficient bounds checks,
which allows out-of-bounds reads in safe code
-if the lenght of the backing buffer is not a multiple of 16.
+if the length of the backing buffer is not a multiple of 16.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/badge/RUSTSEC-2022-0057.md
new/advisory-db-20230223/crates/badge/RUSTSEC-2022-0057.md
--- old/advisory-db-20230117/crates/badge/RUSTSEC-2022-0057.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/badge/RUSTSEC-2022-0057.md 2023-02-14
13:38:31.000000000 +0100
@@ -11,7 +11,7 @@
```
# badge is Unmaintained
-The maintainer has adviced this crate is deprecated and will not receive any
maintenance.
+The maintainer has advised this crate is deprecated and will not receive any
maintenance.
The crate depends on the deprecated `rusttype` crate and won't receive updates
anymore.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/bzip2/RUSTSEC-2023-0004.md
new/advisory-db-20230223/crates/bzip2/RUSTSEC-2023-0004.md
--- old/advisory-db-20230117/crates/bzip2/RUSTSEC-2023-0004.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/bzip2/RUSTSEC-2023-0004.md 2023-02-14
13:38:31.000000000 +0100
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0004"
+package = "bzip2"
+aliases = ["CVE-2023-22895", "GHSA-96jv-r488-c2rj"]
+date = "2023-01-09"
+url = "https://github.com/alexcrichton/bzip2-rs/pull/86";
+categories = ["denial-of-service"]
+
+[versions]
+patched = [">= 0.4.4"]
+
+```
+
+# bzip2 Denial of Service (DoS)
+
+Working with specific payloads can cause a Denial of Service (DoS) vector.
+
+Both `Decompress` and `Compress` implementations can enter into infinite loops
+given specific payloads entered that trigger it.
+
+The issue is described in great detail in the [bzip2 repository
issue](https://github.com/alexcrichton/bzip2-rs/pull/86).
+
+Thanks to bjrjk for finding and providing the patch for the issue and the
+maintainer responsibly responding to release a fix quickly.
+
+Users who use the crate with untrusted data should update the `bzip2` to 0.4.4.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/claim/RUSTSEC-2022-0077.md
new/advisory-db-20230223/crates/claim/RUSTSEC-2022-0077.md
--- old/advisory-db-20230117/crates/claim/RUSTSEC-2022-0077.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/claim/RUSTSEC-2022-0077.md 2023-02-14
13:38:31.000000000 +0100
@@ -16,7 +16,7 @@
The maintainer has been unresponsive regarding this crate for over a year.
-A pending issue with `claim`'s dependencies has made the crate [difficul to
use](https://github.com/svartalf/rust-claim/issues/9)
+A pending issue with `claim`'s dependencies has made the crate [difficult to
use](https://github.com/svartalf/rust-claim/issues/9).
## Possible Alternative(s)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/cortex-m-rt/RUSTSEC-2023-0014.md
new/advisory-db-20230223/crates/cortex-m-rt/RUSTSEC-2023-0014.md
--- old/advisory-db-20230117/crates/cortex-m-rt/RUSTSEC-2023-0014.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/cortex-m-rt/RUSTSEC-2023-0014.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0014"
+package = "cortex-m-rt"
+date = "2023-02-13"
+informational = "unsound"
+url = "https://github.com/rust-embedded/cortex-m/discussions/469";
+
+[versions]
+patched = [">= 0.7.3"]
+unaffected = ["<= 0.7.0"]
+```
+
+# Miscompilation in cortex-m-rt 0.7.1 and 0.7.2
+
+Version 0.7.1 of the `cortex-m-rt` crate introduced a regression causing the
stack to NOT be eight-byte aligned prior to calling `main` (or any other
specified entrypoint), violating the [stack ABI of AAPCS32], the default ABI
used by all Cortex-M targets. This regression is also present in version 0.7.2
of the `cortex-m-rt` crate.
+
+This regression can cause certain compiler optimizations (which assume the
eight-byte alignment) to produce incorrect behavior at runtime. This incorrect
behavior has been [observed in real-world applications].
+
+**It is advised that ALL users of `v0.7.1` and `v0.7.2` of the `cortex-m-rt`
crate update to the latest version (`v0.7.3`), AS SOON AS POSSIBLE.** Users of
`v0.7.0` and prior versions of `cortex-m-rt` are not affected by this
regression.
+
+It will be necessary to rebuild all affected firmware binaries, and flash or
deploy the new firmware binaries to affected devices.
+
+[stack ABI of AAPCS32]:
https://github.com/ARM-software/abi-aa/blob/edd7460d87493fff124b8b5713acf71ffc06ee91/aapcs32/aapcs32.rst#6212stack-constraints-at-a-public-interface
+[observed in real-world applications]: https://github.com/peter9477/test2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/daemonize/RUSTSEC-2021-0147.md
new/advisory-db-20230223/crates/daemonize/RUSTSEC-2021-0147.md
--- old/advisory-db-20230117/crates/daemonize/RUSTSEC-2021-0147.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/daemonize/RUSTSEC-2021-0147.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0147"
+package = "daemonize"
+date = "2021-09-01"
+url = "https://github.com/knsd/daemonize/issues/46";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `daemonize` is Unmaintained
+
+Last release was over four years ago.
+
+The crate contains undocumented unsafe behind safe fns.
+
+An [issue](https://github.com/knsd/daemonize/issues/46) inquiring as to
possible updates has gone unanswered by the maintainer.
+
+## Possible Alternatives
+
+The below list has not been vetted in any way and may or may not contain
alternatives:
+
+- [daemonize-me](https://crates.io/crates/daemonize-me)
+- [tetsy-daemonize](https://crates.io/crates/tetsy-daemonize)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/elf_rs/RUSTSEC-2022-0079.md
new/advisory-db-20230223/crates/elf_rs/RUSTSEC-2022-0079.md
--- old/advisory-db-20230117/crates/elf_rs/RUSTSEC-2022-0079.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/elf_rs/RUSTSEC-2022-0079.md 2023-02-14
13:38:31.000000000 +0100
@@ -8,7 +8,7 @@
keywords = ["elf", "header"]
[versions]
-patched = []
+patched = [">= 0.3.0"]
[affected]
```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230117/crates/evm/RUSTSEC-2022-0083.md
new/advisory-db-20230223/crates/evm/RUSTSEC-2022-0083.md
--- old/advisory-db-20230117/crates/evm/RUSTSEC-2022-0083.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/evm/RUSTSEC-2022-0083.md 2023-02-14
13:38:31.000000000 +0100
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0083"
+package = "evm"
+date = "2022-10-25"
+url = "https://github.com/rust-blockchain/evm/pull/133";
+aliases = ["CVE-2022-39354", "GHSA-hhc4-47rh-cr34"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+categories = ["crypto-failure"]
+
+[versions]
+patched = [">= 0.36.0"]
+```
+
+# evm incorrect state transition
+
+SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual
Machine.
+
+A custom stateful precompile can use the `is_static` parameter to determine if
+the call is executed in a static context (via `STATICCALL`), and thus decide
+if stateful operations should be done.
+
+Prior to version 0.36.0, the passed `is_static` parameter was incorrect -- it
+was only set to `true` if the call came from a direct `STATICCALL` opcode.
+
+However, once a static call context is entered, it should stay static. The
issue
+only impacts custom precompiles that actually uses `is_static`.
+
+For those affected, the issue can lead to possible incorrect state transitions.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/flatbuffers/RUSTSEC-2021-0122.md
new/advisory-db-20230223/crates/flatbuffers/RUSTSEC-2021-0122.md
--- old/advisory-db-20230117/crates/flatbuffers/RUSTSEC-2021-0122.md
2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/flatbuffers/RUSTSEC-2021-0122.md
2023-02-14 13:38:31.000000000 +0100
@@ -23,5 +23,5 @@
1. not expose flatbuffer generated code as part of their public APIs
2. audit their code and look for any usage of `follow`, `push`, or any method
that uses them
(e.g. `self_follow`).
-3. Carefuly go through the crates' documentation to understand which "safe"
APIs are not
+3. Carefully go through the crates' documentation to understand which "safe"
APIs are not
intended to be used.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/git2/RUSTSEC-2023-0002.md
new/advisory-db-20230223/crates/git2/RUSTSEC-2023-0002.md
--- old/advisory-db-20230117/crates/git2/RUSTSEC-2023-0002.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/git2/RUSTSEC-2023-0002.md 2023-02-14
13:38:31.000000000 +0100
@@ -41,7 +41,7 @@
If the information is not supposed to be public,
this would constitute an information leak.
Also, since the data doesn't arrive where intended,
- it consitutes a denial of service.
+ it constitutes a denial of service.
## Technical details
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/json/RUSTSEC-2022-0081.md
new/advisory-db-20230223/crates/json/RUSTSEC-2022-0081.md
--- old/advisory-db-20230117/crates/json/RUSTSEC-2022-0081.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/json/RUSTSEC-2022-0081.md 2023-02-14
13:38:31.000000000 +0100
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0081"
+package = "json"
+date = "2022-02-01"
+url = "https://github.com/maciejhirsz/json-rust/issues/205";
+references = ["https://github.com/maciejhirsz/json-rust/issues/196";]
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# json is unmaintained
+
+Last release was almost 3 years ago.
+
+The maintainer is unresponsive with outstanding issues.
+
+One of the outstanding issues include [a possible soundness
issue](https://github.com/maciejhirsz/json-rust/issues/196).
+
+## Possible Alternative(s)
+
+The below list has not been vetted in any way and may or may not contain
alternatives;
+
+- [serde_json](https://crates.io/crates/serde_json)
+- [json-deserializer](https://crates.io/crates/json-deserializer)
+- [simd-json](https://crates.io/crates/simd-json)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/libgit2-sys/RUSTSEC-2023-0003.md
new/advisory-db-20230223/crates/libgit2-sys/RUSTSEC-2023-0003.md
--- old/advisory-db-20230117/crates/libgit2-sys/RUSTSEC-2023-0003.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/libgit2-sys/RUSTSEC-2023-0003.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,37 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0003"
+package = "libgit2-sys"
+date = "2023-01-20"
+url =
"https://github.com/rust-lang/git2-rs/security/advisories/GHSA-m4ch-rfv5-x5g3";
+categories = ["crypto-failure"]
+keywords = ["ssh", "mitm", "git"]
+aliases = ["CVE-2023-22742", "GHSA-m4ch-rfv5-x5g3", "GHSA-8643-3wh5-rmjq"]
+
+[versions]
+patched = [">= 0.13.5, < 0.14.0", ">= 0.14.2"]
+```
+
+# git2 does not verify SSH keys by default
+
+The git2 and libgit2-sys crates are Rust wrappers around the
+[libgit2]() C library. It was discovered that libgit2 1.5.0
+and below did not verify SSH host keys when establishing an SSH connection,
+exposing users of the library to Man-In-the-Middle attacks.
+
+The libgit2 team assigned [CVE-2023-22742][libgit2-advisory] to this
+vulnerability. The following versions of the libgit2-sys Rust crate have been
+released:
+
+* libgit2-sys 0.14.2, updating the underlying libgit2 C library to version
1.5.1.
+* libgit2-sys 0.13.5, updating the underlying libgit2 C library to version
1.4.5.
+
+A new git2 crate version has also been released, 0.16.1. This version only
+bumps its libgit2-sys dependency to ensure no vulnerable libgit2-sys versions
+are used, but contains no code changes: if you update the libgit2-sys version
+there is no need to also update the git2 crate version.
+
+[You can learn more about this vulnerability in libgit2's
advisory][libgit2-advisory]
+
+[libgit2]: https://libgit2.org/
+[libgit2-advisory]:
https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/libp2p/RUSTSEC-2022-0084.md
new/advisory-db-20230223/crates/libp2p/RUSTSEC-2022-0084.md
--- old/advisory-db-20230117/crates/libp2p/RUSTSEC-2022-0084.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/libp2p/RUSTSEC-2022-0084.md 2023-02-14
13:38:31.000000000 +0100
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0084"
+package = "libp2p"
+date = "2022-07-12"
+url =
"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8";
+aliases = ["CVE-2022-23486", "GHSA-jvgw-gccv-q5p8"]
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.45.1"]
+```
+# libp2p Lack of resource management DoS
+
+libp2p allows a potential attacker to cause victim p2p node to run out of
memory
+
+The out of memory failure can cause crashes where libp2p is intended to be used
+within large scale networks leading to potential Denial of Service (DoS) vector
+
+Users should upgrade or reference the [DoS mitigation
strategies](https://docs.libp2p.io/reference/dos-mitigation/).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/libsqlite3-sys/RUSTSEC-2022-0090.md
new/advisory-db-20230223/crates/libsqlite3-sys/RUSTSEC-2022-0090.md
--- old/advisory-db-20230117/crates/libsqlite3-sys/RUSTSEC-2022-0090.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/libsqlite3-sys/RUSTSEC-2022-0090.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0090"
+package = "libsqlite3-sys"
+date = "2022-08-03"
+url = "https://nvd.nist.gov/vuln/detail/CVE-2022-35737";
+categories = ["denial-of-service", "code-execution"]
+aliases = ["CVE-2022-35737"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.25.1"]
+```
+
+# `libsqlite3-sys` via C SQLite CVE-2022-35737
+
+It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an
array-bounds overflow when large string were input into SQLite's `printf`
function.
+
+As `libsqlite3-sys` bundles SQLite, it is susceptible to the vulnerability.
`libsqlite3-sys` was updated to bundle the patched version of SQLite
[here](https://github.com/rusqlite/rusqlite/releases/tag/sys0.25.1).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/mapr/RUSTSEC-2022-0053.md
new/advisory-db-20230223/crates/mapr/RUSTSEC-2022-0053.md
--- old/advisory-db-20230117/crates/mapr/RUSTSEC-2022-0053.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/mapr/RUSTSEC-2022-0053.md 2023-02-14
13:38:31.000000000 +0100
@@ -13,7 +13,7 @@
The `mapr` fork has been merged back into upstream fork `memmap2`.
-The maintainer(s) have adviced `mapr` is deprecated and will not
+The maintainer(s) have advised `mapr` is deprecated and will not
receive any maintenance in favor of using `memmap2`.
## Possible Alternative(s)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/markdown/RUSTSEC-2022-0044.md
new/advisory-db-20230223/crates/markdown/RUSTSEC-2022-0044.md
--- old/advisory-db-20230117/crates/markdown/RUSTSEC-2022-0044.md
2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/markdown/RUSTSEC-2022-0044.md
2023-02-14 13:38:31.000000000 +0100
@@ -7,11 +7,19 @@
url = "https://github.com/johannhof/markdown.rs/issues/48";
[versions]
-patched = []
-unaffected = []
+patched = [">= 1.0.0-alpha.1"]
```
-# `markdown` is unmaintained
+# `markdown` (1.0.0 and higher) is maintained
-The [`markdown`](https://crates.io/crates/markdown) crate is no longer
actively maintained. For Markdown parsing, you can use the
[pulldown-cmark](https://crates.io/crates/pulldown-cmark) crate.
-
+A new `markdown` crate has been brought over by a new maintainer replacing the
old crate.
+
+As of time of writing only pre-releases seem to be available for the 1.0.0
version of the crate.
+
+The crate GitHub repository is now
[wooorm/markdown-rs](https://github.com/wooorm/markdown-rs)
+
+# `markdown` (0.3.0 and lower) was unmaintained
+
+The old [`markdown`](https://crates.io/crates/markdown) crate was no longer
actively maintained.
+
+The crate GitHub repository was
[johannhof/markdown.rs](https://github.com/johannhof/markdown.rs)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/matrix-sdk-crypto/RUSTSEC-2022-0085.md
new/advisory-db-20230223/crates/matrix-sdk-crypto/RUSTSEC-2022-0085.md
--- old/advisory-db-20230117/crates/matrix-sdk-crypto/RUSTSEC-2022-0085.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/matrix-sdk-crypto/RUSTSEC-2022-0085.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0085"
+package = "matrix-sdk-crypto"
+date = "2022-09-29"
+url =
"https://github.com/matrix-org/matrix-rust-sdk/commit/093fb5d0aa21c0b5eaea6ec96b477f1075271cbb";
+references =
["https://github.com/matrix-org/matrix-rust-sdk/commit/41449d2cc360e347f5d4e1c154ec1e3185f11acd";]
+aliases = ["CVE-2022-39252", "GHSA-vp68-2wrm-69qm"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+
+[versions]
+patched = [">= 0.6.0"]
+```
+
+# matrix-sdk Impersonation of room keys
+
+When the user receives a forwarded room key, the software accepts it without
+checking who the room key came from. This allows homeservers to try to insert
+room keys of questionable validity, potentially mounting an impersonation
attack.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/mozwire/RUSTSEC-2020-0030.md
new/advisory-db-20230223/crates/mozwire/RUSTSEC-2020-0030.md
--- old/advisory-db-20230117/crates/mozwire/RUSTSEC-2020-0030.md
2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/mozwire/RUSTSEC-2020-0030.md
2023-02-14 13:38:31.000000000 +0100
@@ -13,7 +13,7 @@
patched = ["> 0.4.1"]
```
-# Missing sanitazion in mozwire allows local file overwrite of files ending in
.conf
+# Missing sanitization in mozwire allows local file overwrite of files ending
in .conf
The client software downloaded a list of servers from mozilla's servers and
created local files named
after the hostname field in the json document.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230117/crates/nix/RUSTSEC-2021-0119.md
new/advisory-db-20230223/crates/nix/RUSTSEC-2021-0119.md
--- old/advisory-db-20230117/crates/nix/RUSTSEC-2021-0119.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/nix/RUSTSEC-2021-0119.md 2023-02-14
13:38:31.000000000 +0100
@@ -25,7 +25,7 @@
The libc `getgrouplist` function takes an in/out parameter `ngroups`
specifying the size of the group buffer. When the buffer is too small to
-hold all of the reqested user's group memberships, some libc
+hold all of the requested user's group memberships, some libc
implementations, including glibc and Solaris libc, will modify `ngroups`
to indicate the actual number of groups for the user, in addition to
returning an error. The version of `nix::unistd::getgrouplist` in nix
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0006.md
new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0006.md
--- old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0006.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0006.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0006"
+package = "openssl-src"
+aliases = ["CVE-2023-0286"]
+categories = ["denial-of-service", "memory-exposure"]
+date = "2023-02-07"
+url = "https://www.openssl.org/news/secadv/20230207.txt";
+[versions]
+patched = [">= 111.25, < 300.0", ">= 300.0.12"]
+```
+
+# X.400 address type confusion in X.509 `GeneralName`
+
+There is a type confusion vulnerability relating to X.400 address processing
+inside an X.509 `GeneralName`. X.400 addresses were parsed as an `ASN1_STRING`
but
+the public structure definition for `GENERAL_NAME` incorrectly specified the
type
+of the `x400Address` field as `ASN1_TYPE`. This field is subsequently
interpreted by
+the OpenSSL function `GENERAL_NAME_cmp` as an `ASN1_TYPE` rather than an
+`ASN1_STRING`.
+
+When CRL checking is enabled (i.e. the application sets the
+`X509_V_FLAG_CRL_CHECK` flag), this vulnerability may allow an attacker to pass
+arbitrary pointers to a `memcmp` call, enabling them to read memory contents or
+enact a denial of service. In most cases, the attack requires the attacker to
+provide both the certificate chain and CRL, neither of which need to have a
+valid signature. If the attacker only controls one of these inputs, the other
+input must already contain an X.400 address as a CRL distribution point, which
+is uncommon. As such, this vulnerability is most likely to only affect
+applications which have implemented their own functionality for retrieving CRLs
+over a network.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0007.md
new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0007.md
--- old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0007.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0007.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0007"
+package = "openssl-src"
+aliases = ["CVE-2022-4304"]
+categories = ["crypto-failure"]
+date = "2023-02-07"
+url = "https://www.openssl.org/news/secadv/20230207.txt";
+[versions]
+patched = [">= 111.25, < 300.0", ">= 300.0.12"]
+```
+
+# Timing Oracle in RSA Decryption
+
+A timing based side channel exists in the OpenSSL RSA Decryption implementation
+which could be sufficient to recover a plaintext across a network in a
+Bleichenbacher style attack. To achieve a successful decryption an attacker
+would have to be able to send a very large number of trial messages for
+decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
+RSA-OEAP and RSASVE.
+
+For example, in a TLS connection, RSA is commonly used by a client to send an
+encrypted pre-master secret to the server. An attacker that had observed a
+genuine connection between a client and a server could use this flaw to send
+trial messages to the server and record the time taken to process them. After a
+sufficiently large number of messages the attacker could recover the pre-master
+secret used for the original connection and thus be able to decrypt the
+application data sent over that connection.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0008.md
new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0008.md
--- old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0008.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0008.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0008"
+package = "openssl-src"
+aliases = ["CVE-2022-4203"]
+categories = ["denial-of-service", "memory-exposure"]
+date = "2023-02-07"
+url = "https://www.openssl.org/news/secadv/20230207.txt";
+[versions]
+patched = [">= 300.0.12"]
+unaffected = ["< 300.0.0"]
+```
+
+# X.509 Name Constraints Read Buffer Overflow
+
+A read buffer overrun can be triggered in X.509 certificate verification,
+specifically in name constraint checking. Note that this occurs
+after certificate chain signature verification and requires either a
+CA to have signed the malicious certificate or for the application to
+continue certificate verification despite failure to construct a path
+to a trusted issuer.
+
+The read buffer overrun might result in a crash which could lead to
+a denial of service attack. In theory it could also result in the disclosure
+of private memory contents (such as private keys, or sensitive plaintext)
+although we are not aware of any working exploit leading to memory
+contents disclosure as of the time of release of this advisory.
+
+In a TLS client, this can be triggered by connecting to a malicious
+server. In a TLS server, this can be triggered if the server requests
+client authentication and a malicious client connects.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0009.md
new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0009.md
--- old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0009.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0009.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,38 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0009"
+package = "openssl-src"
+aliases = ["CVE-2023-0215"]
+categories = ["denial-of-service"]
+date = "2023-02-07"
+url = "https://www.openssl.org/news/secadv/20230207.txt";
+[versions]
+patched = [">= 111.25, < 300.0", ">= 300.0.12"]
+```
+
+# Use-after-free following `BIO_new_NDEF`
+
+The public API function `BIO_new_NDEF` is a helper function used for streaming
+ASN.1 data via a `BIO`. It is primarily used internally to OpenSSL to support
the
+SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
+end user applications.
+
+The function receives a `BIO` from the caller, prepends a new `BIO_f_asn1`
filter
+`BIO` onto the front of it to form a `BIO` chain, and then returns the new
head of
+the `BIO` chain to the caller. Under certain conditions, for example if a CMS
+recipient public key is invalid, the new filter `BIO` is freed and the function
+returns a `NULL` result indicating a failure. However, in this case, the `BIO`
chain
+is not properly cleaned up and the `BIO` passed by the caller still retains
+internal pointers to the previously freed filter `BIO`. If the caller then
goes on
+to call `BIO_pop()` on the `BIO` then a use-after-free will occur. This will
most
+likely result in a crash.
+
+This scenario occurs directly in the internal function `B64_write_ASN1()` which
+may cause `BIO_new_NDEF()` to be called and will subsequently call `BIO_pop()`
on
+the `BIO`. This internal function is in turn called by the public API functions
+`PEM_write_bio_ASN1_stream`, `PEM_write_bio_CMS_stream`,
`PEM_write_bio_PKCS7_stream`,
+`SMIME_write_ASN1`, `SMIME_write_CMS` and `SMIME_write_PKCS7`.
+
+Other public API functions that may be impacted by this include
+`i2d_ASN1_bio_stream`, `BIO_new_CMS`, `BIO_new_PKCS7`, `i2d_CMS_bio_stream` and
+`i2d_PKCS7_bio_stream`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0010.md
new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0010.md
--- old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0010.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0010.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,36 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0010"
+package = "openssl-src"
+aliases = ["CVE-2022-4450"]
+categories = ["denial-of-service"]
+date = "2023-02-07"
+url = "https://www.openssl.org/news/secadv/20230207.txt";
+[versions]
+patched = [">= 111.25, < 300.0", ">= 300.0.12"]
+```
+
+# Double free after calling `PEM_read_bio_ex`
+
+The function `PEM_read_bio_ex()` reads a PEM file from a BIO and parses and
+decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
+If the function succeeds then the "name_out", "header" and "data" arguments are
+populated with pointers to buffers containing the relevant decoded data. The
+caller is responsible for freeing those buffers. It is possible to construct a
+PEM file that results in 0 bytes of payload data. In this case
`PEM_read_bio_ex()`
+will return a failure code but will populate the header argument with a pointer
+to a buffer that has already been freed. If the caller also frees this buffer
+then a double free will occur. This will most likely lead to a crash. This
+could be exploited by an attacker who has the ability to supply malicious PEM
+files for parsing to achieve a denial of service attack.
+
+The functions `PEM_read_bio()` and `PEM_read()` are simple wrappers around
+`PEM_read_bio_ex()` and therefore these functions are also directly affected.
+
+These functions are also called indirectly by a number of other OpenSSL
+functions including `PEM_X509_INFO_read_bio_ex()` and
+`SSL_CTX_use_serverinfo_file()` which are also vulnerable. Some OpenSSL
internal
+uses of these functions are not vulnerable because the caller does not free the
+header argument if `PEM_read_bio_ex()` returns a failure code. These locations
+include the `PEM_read_bio_TYPE()` functions as well as the decoders introduced
in
+OpenSSL 3.0.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0011.md
new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0011.md
--- old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0011.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0011.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0011"
+package = "openssl-src"
+aliases = ["CVE-2023-0216"]
+categories = ["denial-of-service"]
+date = "2023-02-07"
+url = "https://www.openssl.org/news/secadv/20230207.txt";
+[versions]
+patched = [">= 300.0.12"]
+unaffected = ["< 300.0.0"]
+```
+
+# Invalid pointer dereference in `d2i_PKCS7` functions
+
+An invalid pointer dereference on read can be triggered when an
+application tries to load malformed PKCS7 data with the
+`d2i_PKCS7()`, `d2i_PKCS7_bio()` or `d2i_PKCS7_fp()` functions.
+
+The result of the dereference is an application crash which could
+lead to a denial of service attack. The TLS implementation in OpenSSL
+does not call this function however third party applications might
+call these functions on untrusted data.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0012.md
new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0012.md
--- old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0012.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0012.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0012"
+package = "openssl-src"
+aliases = ["CVE-2023-0217"]
+categories = ["denial-of-service"]
+date = "2023-02-07"
+url = "https://www.openssl.org/news/secadv/20230207.txt";
+[versions]
+patched = [">= 300.0.12"]
+unaffected = ["< 300.0.0"]
+```
+
+# `NULL` dereference validating DSA public key
+
+An invalid pointer dereference on read can be triggered when an
+application tries to check a malformed DSA public key by the
+`EVP_PKEY_public_check()` function. This will most likely lead
+to an application crash. This function can be called on public
+keys supplied from untrusted sources which could allow an attacker
+to cause a denial of service attack.
+
+The TLS implementation in OpenSSL does not call this function
+but applications might call the function if there are additional
+security requirements imposed by standards such as FIPS 140-3.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0013.md
new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0013.md
--- old/advisory-db-20230117/crates/openssl-src/RUSTSEC-2023-0013.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/openssl-src/RUSTSEC-2023-0013.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,32 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0013"
+package = "openssl-src"
+aliases = ["CVE-2023-0401"]
+categories = ["denial-of-service"]
+date = "2023-02-07"
+url = "https://www.openssl.org/news/secadv/20230207.txt";
+[versions]
+patched = [">= 300.0.12"]
+unaffected = ["< 300.0.0"]
+```
+
+# `NULL` dereference during PKCS7 data verification
+
+A `NULL` pointer can be dereferenced when signatures are being
+verified on PKCS7 `signed` or `signedAndEnveloped` data. In case the hash
+algorithm used for the signature is known to the OpenSSL library but
+the implementation of the hash algorithm is not available the digest
+initialization will fail. There is a missing check for the return
+value from the initialization function which later leads to invalid
+usage of the digest API most likely leading to a crash.
+
+The unavailability of an algorithm can be caused by using FIPS
+enabled configuration of providers or more commonly by not loading
+the legacy provider.
+
+PKCS7 data is processed by the SMIME library calls and also by the
+time stamp (TS) library calls. The TLS implementation in OpenSSL does
+not call these functions however third party applications would be
+affected if they call these functions to verify signatures on untrusted
+data.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/personnummer/RUSTSEC-2020-0166.md
new/advisory-db-20230223/crates/personnummer/RUSTSEC-2020-0166.md
--- old/advisory-db-20230117/crates/personnummer/RUSTSEC-2020-0166.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/personnummer/RUSTSEC-2020-0166.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2020-0166"
+package = "personnummer"
+date = "2020-09-04"
+url = "https://github.com/personnummer/rust/pull/4";
+aliases = ["GHSA-28r9-pq4c-wp3c"]
+informational = "notice"
+
+[versions]
+patched = [">= 3.0.1"]
+```
+# personnummer Input validation error
+
+Swedish personal identity is in the form of YYMMDD-XXXX
+
+An issue arises from the regular expression allowing the first three digits in
+the last four digits of the personnummer to be 000, which is invalid.
+
+To mitigate this without upgrading, a check on the last four digits can be made
+to make sure it's not 000x.
+
+The affected version should not be relied on without the mitigation to check
+that the swedish personal identity number is valid.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/pnet_packet/RUSTSEC-2020-0167.md
new/advisory-db-20230223/crates/pnet_packet/RUSTSEC-2020-0167.md
--- old/advisory-db-20230117/crates/pnet_packet/RUSTSEC-2020-0167.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/pnet_packet/RUSTSEC-2020-0167.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2020-0167"
+package = "pnet_packet"
+date = "2020-06-19"
+url = "https://github.com/libpnet/libpnet/issues/449";
+categories = ["memory-corruption"]
+cvss = "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"
+
+[versions]
+patched = [">= 0.27.2"]
+```
+
+# `pnet_packet` buffer overrun in `set_payload` setters
+
+As indicated by this
[issue](https://github.com/libpnet/libpnet/issues/449#issuecomment-663355987),
a buffer overrun is possible in the `set_payload` setter of the various mutable
"Packet" struct setters. The offending `set_payload` functions were defined
within the struct `impl` blocks in earlier versions of the package, and later
by the `packet` macro.
+
+Fixed in the `packet` macro by
[this](https://github.com/libpnet/libpnet/pull/455) PR.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/rusttype/RUSTSEC-2021-0140.md
new/advisory-db-20230223/crates/rusttype/RUSTSEC-2021-0140.md
--- old/advisory-db-20230117/crates/rusttype/RUSTSEC-2021-0140.md
2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/rusttype/RUSTSEC-2021-0140.md
2023-02-14 13:38:31.000000000 +0100
@@ -11,7 +11,7 @@
```
# rusttype is Unmaintained
-The maintainer has adviced this crate is deprecated and will not
+The maintainer has advised this crate is deprecated and will not
receive any maintenance.
The maintainer has further advised to migrate over to `ab_glyph`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/sass-rs/RUSTSEC-2021-0136.md
new/advisory-db-20230223/crates/sass-rs/RUSTSEC-2021-0136.md
--- old/advisory-db-20230117/crates/sass-rs/RUSTSEC-2021-0136.md
2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/sass-rs/RUSTSEC-2021-0136.md
2023-02-14 13:38:31.000000000 +0100
@@ -14,4 +14,4 @@
The `sass-rs` crate is not maintained anymore as libsass is deprecated.
Consider using https://github.com/connorskees/grass or
https://github.com/kaj/rsass instead.
-(Author's recomendation.)
+(Author's recommendation.)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/secp256k1/RUSTSEC-2022-0070.md
new/advisory-db-20230223/crates/secp256k1/RUSTSEC-2022-0070.md
--- old/advisory-db-20230117/crates/secp256k1/RUSTSEC-2022-0070.md
2023-01-16 10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/secp256k1/RUSTSEC-2022-0070.md
2023-02-14 13:38:31.000000000 +0100
@@ -31,6 +31,6 @@
* manually checked that your usage of the method is sound
* upgraded to the patched version of `secp256k1` (recommended)
-The patched version uses correct bounds which means it is API-breaking. This
effectively means adopting the policy of Rust lang itself allowing API-breaking
changes to fix soundness bugs. Note however that valid straigthforward usage of
the code will continue to compile. Only unsound code or code that propagates
the bound in custom generics will fail to compile. If the code is sound fixing
the bounds should be sufficient to make the code compile.
+The patched version uses correct bounds which means it is API-breaking. This
effectively means adopting the policy of Rust lang itself allowing API-breaking
changes to fix soundness bugs. Note however that valid straightforward usage of
the code will continue to compile. Only unsound code or code that propagates
the bound in custom generics will fail to compile. If the code is sound fixing
the bounds should be sufficient to make the code compile.
See the [GitHub
issue](https://github.com/rust-bitcoin/rust-secp256k1/issues/543) for example
"exploit" code and further discussion.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/slack-morphism/RUSTSEC-2022-0086.md
new/advisory-db-20230223/crates/slack-morphism/RUSTSEC-2022-0086.md
--- old/advisory-db-20230117/crates/slack-morphism/RUSTSEC-2022-0086.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/slack-morphism/RUSTSEC-2022-0086.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0086"
+package = "slack-morphism"
+date = "2022-07-22"
+url = "https://github.com/abdolence/slack-morphism-rust/pull/133";
+aliases = ["CVE-2022-31162", "GHSA-99j7-mhfh-w84p"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+
+[versions]
+patched = [">= 0.41.0"]
+```
+# Slack OAuth Secrets leak in debug logs
+
+Debug log formatting made it possible to leak OAuth secrets into debug logs.
+
+The patched version has introduced more strict checks to avoid this.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/slack-morphism/RUSTSEC-2022-0087.md
new/advisory-db-20230223/crates/slack-morphism/RUSTSEC-2022-0087.md
--- old/advisory-db-20230117/crates/slack-morphism/RUSTSEC-2022-0087.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/slack-morphism/RUSTSEC-2022-0087.md
2023-02-14 13:38:31.000000000 +0100
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0087"
+package = "slack-morphism"
+date = "2022-10-10"
+url =
"https://github.com/abdolence/slack-morphism-rust/commit/65ef9fac4f39c4e171e2952a6cf029bb0d059a89";
+aliases = ["CVE-2022-39292", "GHSA-4mjx-2gh5-ph8h"]
+
+[versions]
+patched = [">= 1.3.2"]
+```
+# Slack Webhooks secrets leak in debug logs
+
+Debug log formatting made it possible to leak Webhooks secrets into debug logs.
+
+The patched version has introduced more strict checks to avoid this.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/tauri/RUSTSEC-2022-0088.md
new/advisory-db-20230223/crates/tauri/RUSTSEC-2022-0088.md
--- old/advisory-db-20230117/crates/tauri/RUSTSEC-2022-0088.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/tauri/RUSTSEC-2022-0088.md 2023-02-14
13:38:31.000000000 +0100
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0088"
+package = "tauri"
+date = "2022-08-07"
+url = "https://github.com/tauri-apps/tauri/issues/4882";
+categories = ["privilege-escalation"]
+aliases = ["CVE-2022-39215", "GHSA-28m8-9j7v-x499"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
+
+[versions]
+patched = [">= 1.0.6"]
+```
+
+# `tauri`'s `readDir` endpoint allows possible enumeration outside of
filesystem scope
+
+It is possible for `readDir` to incorrectly enumerate files from a symlinked
directory if called recursively when specifying an empty string for the dir
parameter as outlined in
[this](https://github.com/tauri-apps/tauri/issues/4882) issue.
+
+This is corrected in [this](https://github.com/tauri-apps/tauri/pull/5123) PR
by checking if a directory is a symlink before reading from it.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/time/RUSTSEC-2020-0071.md
new/advisory-db-20230223/crates/time/RUSTSEC-2020-0071.md
--- old/advisory-db-20230117/crates/time/RUSTSEC-2020-0071.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/time/RUSTSEC-2020-0071.md 2023-02-14
13:38:31.000000000 +0100
@@ -71,4 +71,26 @@
### Workarounds
-No workarounds are known.
+A possible workaround for crates affected through the transitive dependency in
`chrono`, is to avoid using the default `oldtime` feature dependency of the
`chrono` crate by disabling its `default-features` and manually specifying the
required features instead.
+
+#### Examples:
+
+`Cargo.toml`:
+
+```toml
+chrono = { version = "0.4", default-features = false, features = ["serde"] }
+```
+
+```toml
+chrono = { version = "0.4.22", default-features = false, features = ["clock"] }
+```
+
+Commandline:
+
+```bash
+cargo add chrono --no-default-features -F clock
+```
+
+Sources:
+ - [chronotope/chrono#602
(comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249)
+ - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/tokio/RUSTSEC-2023-0001.md
new/advisory-db-20230223/crates/tokio/RUSTSEC-2023-0001.md
--- old/advisory-db-20230117/crates/tokio/RUSTSEC-2023-0001.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/tokio/RUSTSEC-2023-0001.md 2023-02-14
13:38:31.000000000 +0100
@@ -22,7 +22,7 @@
This drops any intended explicit configuration for the [reject_remote_clients]
that may have been set as `true` previously.
-The default setting of [reject_remote_clients] is normally `true` meaning the
default is also overriden as `false`.
+The default setting of [reject_remote_clients] is normally `true` meaning the
default is also overridden as `false`.
## Workarounds
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/tokio/RUSTSEC-2023-0005.md
new/advisory-db-20230223/crates/tokio/RUSTSEC-2023-0005.md
--- old/advisory-db-20230117/crates/tokio/RUSTSEC-2023-0005.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/tokio/RUSTSEC-2023-0005.md 2023-02-14
13:38:31.000000000 +0100
@@ -0,0 +1,33 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0005"
+package = "tokio"
+date = "2023-01-11"
+url = "https://github.com/tokio-rs/tokio/issues/5372";
+categories = ["memory-exposure"]
+informational = "unsound"
+
+[versions]
+patched = [">= 1.18.5, < 1.19.0", ">= 1.20.4, < 1.21.0", ">= 1.24.2"]
+unaffected = ["< 0.2.0"]
+```
+
+# `tokio::io::ReadHalf<T>::unsplit` is Unsound
+
+`tokio::io::ReadHalf<T>::unsplit` can violate the `Pin` contract
+
+The soundness issue is described in the
[tokio/issues#5372](https://github.com/tokio-rs/tokio/issues/5372)
+
+Specific set of conditions needed to trigger an issue (a !Unpin type in
ReadHalf)
+is unusual, combined with the difficulty of making any arbitrary use-after-free
+exploitable in Rust without doing a lot of careful alignment of data types in
+the surrounding code.
+
+The `tokio` feature `io-util` is also required to be enabled to trigger this
+soundness issue.
+
+Thanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e
+and carllerche appropriately responding and fixing the soundness bug.
+
+Tokio before 0.2.0 used `futures` 0.1 that did not have `Pin`, so it is not
+affected by this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/twoway/RUSTSEC-2021-0146.md
new/advisory-db-20230223/crates/twoway/RUSTSEC-2021-0146.md
--- old/advisory-db-20230117/crates/twoway/RUSTSEC-2021-0146.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/twoway/RUSTSEC-2021-0146.md 2023-02-14
13:38:31.000000000 +0100
@@ -13,4 +13,4 @@
# Crate `twoway` deprecated by the author
-The commit
[`e99b3c7`](https://github.com/bluss/twoway/commit/e99b3c718df1117ad7f54c33f6540c8f46cc17dd)
releasing version 0.2.2 explicitely deprecates `twoway` in favour of
[`memchr`](https://crates.io/crates/memchr) crate.
+The commit
[`e99b3c7`](https://github.com/bluss/twoway/commit/e99b3c718df1117ad7f54c33f6540c8f46cc17dd)
releasing version 0.2.2 explicitly deprecates `twoway` in favour of
[`memchr`](https://crates.io/crates/memchr) crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230117/crates/v9/RUSTSEC-2020-0127.md
new/advisory-db-20230223/crates/v9/RUSTSEC-2020-0127.md
--- old/advisory-db-20230117/crates/v9/RUSTSEC-2020-0127.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/v9/RUSTSEC-2020-0127.md 2023-02-14
13:38:31.000000000 +0100
@@ -4,12 +4,13 @@
package = "v9"
date = "2020-12-18"
url = "https://github.com/purpleposeidon/v9/issues/1";
+references =
["https://github.com/purpleposeidon/v9/commit/18847c50e5d36561cc91c996c3539ddb1eacf6c7";]
categories = ["memory-corruption", "thread-safety"]
aliases = ["CVE-2020-36447"]
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
[versions]
-patched = []
+patched = [">= 0.1.43"]
```
# SyncRef's clone() and debug() allow data races
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230117/crates/warp/RUSTSEC-2022-0082.md
new/advisory-db-20230223/crates/warp/RUSTSEC-2022-0082.md
--- old/advisory-db-20230117/crates/warp/RUSTSEC-2022-0082.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230223/crates/warp/RUSTSEC-2022-0082.md 2023-02-14
13:38:31.000000000 +0100
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0082"
+package = "warp"
+date = "2022-01-14"
+url = "https://github.com/seanmonstar/warp/issues/937";
+categories = ["file-disclosure"]
+keywords = ["directory traversal", "http"]
+
+[affected]
+os = ["windows"]
+
+[versions]
+patched = [">= 0.3.3"]
+```
+
+# Improper validation of Windows paths could lead to directory traversal attack
+
+Path resolution in `warp::filters::fs::dir` didn't correctly validate Windows
paths
+meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed
+and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users
+could potentially read files anywhere on the filesystem.
+
+This only impacts Windows. Linux and other unix likes are not impacted by this.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230117/crates/xcb/RUSTSEC-2020-0097.md
new/advisory-db-20230223/crates/xcb/RUSTSEC-2020-0097.md
--- old/advisory-db-20230117/crates/xcb/RUSTSEC-2020-0097.md 2023-01-16
10:26:23.000000000 +0100
+++ new/advisory-db-20230223/crates/xcb/RUSTSEC-2020-0097.md 2023-02-14
13:38:31.000000000 +0100
@@ -5,12 +5,12 @@
aliases = ["CVE-2020-36205"]
cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
date = "2020-12-10"
-url = "https://github.com/rtbo/rust-xcb/issues/93";
+url = "https://github.com/rust-x-bindings/rust-xcb/issues/93";
categories = ["memory-corruption", "thread-safety"]
informational = "unsound"
[versions]
-patched = []
+patched = [">= 1.0"]
```
# Soundness issue with base::Error
