Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cargo-audit-advisory-db for openSUSE:Factory checked in at 2023-08-18 19:28:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old) and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db" Fri Aug 18 19:28:54 2023 rev:35 rq:1104494 version:20230818 Changes: -------- --- /work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes 2023-08-01 15:38:40.441873868 +0200 +++ /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1766/cargo-audit-advisory-db.changes 2023-08-18 19:29:25.199430049 +0200 @@ -1,0 +2,15 @@ +Thu Aug 17 23:38:35 UTC 2023 - william.br...@suse.com + +- Update to version 20230818: + * Assigned RUSTSEC-2022-0093 to ed25519-dalek (#1745) + * Add Double Public Key Signing Function Oracle Attack on `ed25519-dalek` (#1744) + * Assigned RUSTSEC-2023-0049 to tui (#1740) + * Add unmaintained `tui` advisory (#1739) + * Update aliases from GHSA OSV export (#1734) + * Assigned RUSTSEC-2023-0048 to intaglio (#1733) + * Add advisory for unsoundness in intaglio symbol interners (#1732) + * Assigned RUSTSEC-2023-0047 to lmdb-rs (#1730) + * report unsoundness of lmdb-rs (#1724) + * Fix typos (#1729) + +------------------------------------------------------------------- Old: ---- advisory-db-20230731.tar.xz New: ---- advisory-db-20230818.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cargo-audit-advisory-db.spec ++++++ --- /var/tmp/diff_new_pack.edPHZg/_old 2023-08-18 19:29:25.867431246 +0200 +++ /var/tmp/diff_new_pack.edPHZg/_new 2023-08-18 19:29:25.875431261 +0200 @@ -17,7 +17,7 @@ Name: cargo-audit-advisory-db -Version: 20230731 +Version: 20230818 Release: 0 Summary: A database of known security issues for Rust depedencies License: CC0-1.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.edPHZg/_old 2023-08-18 19:29:25.939431376 +0200 +++ /var/tmp/diff_new_pack.edPHZg/_new 2023-08-18 19:29:25.943431383 +0200 @@ -2,7 +2,7 @@ <service mode="disabled" name="obs_scm"> <param name="url">https://github.com/RustSec/advisory-db.git</param> <param name="scm">git</param> - <param name="version">20230731</param> + <param name="version">20230818</param> <param name="revision">main</param> <param name="changesgenerate">enable</param> <param name="changesauthor">william.br...@suse.com</param> ++++++ advisory-db-20230731.tar.xz -> advisory-db-20230818.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230731/.duplicate-id-guard new/advisory-db-20230818/.duplicate-id-guard --- old/advisory-db-20230731/.duplicate-id-guard 2023-07-29 19:20:00.000000000 +0200 +++ new/advisory-db-20230818/.duplicate-id-guard 2023-08-14 19:14:25.000000000 +0200 @@ -1,3 +1,3 @@ This file causes merge conflicts if two ID assignment jobs run concurrently. This prevents duplicate ID assignment due to a race between those jobs. -c180e114f092d808a8efaab98d0138ec1d49f659bfc4edfb340dd84e2fedd88b - +e315acbba1dcf156464306c5a2fae64532f7b99cfbf4935bf3b894f2174c7de2 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230731/crates/ed25519-dalek/RUSTSEC-2022-0093.md new/advisory-db-20230818/crates/ed25519-dalek/RUSTSEC-2022-0093.md --- old/advisory-db-20230731/crates/ed25519-dalek/RUSTSEC-2022-0093.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20230818/crates/ed25519-dalek/RUSTSEC-2022-0093.md 2023-08-14 19:14:25.000000000 +0200 @@ -0,0 +1,29 @@ +```toml +[advisory] +id = "RUSTSEC-2022-0093" +package = "ed25519-dalek" +date = "2022-06-11" +categories = ["crypto-failure"] +url = "https://github.com/MystenLabs/ed25519-unsafe-libs" + +[versions] +patched = [">= 2"] +``` + +# Double Public Key Signing Function Oracle Attack on `ed25519-dalek` + +Versions of `ed25519-dalek` prior to v2.0 model private and public keys as +separate types which can be assembled into a `Keypair`, and also provide APIs +for serializing and deserializing 64-byte private/public keypairs. + +Such APIs and serializations are inherently unsafe as the public key is one of +the inputs used in the deterministic computation of the `S` part of the signature, +but not in the `R` value. An adversary could somehow use the signing function as +an oracle that allows arbitrary public keys as input can obtain two signatures +for the same message sharing the same `R` and only differ on the `S` part. + +Unfortunately, when this happens, one can easily extract the private key. + +Revised public APIs in v2.0 of `ed25519-dalek` do NOT allow a decoupled +private/public keypair as signing input, except as part of specially labeled +"hazmat" APIs which are clearly labeled as being dangerous if misused. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230731/crates/tui/RUSTSEC-2023-0049.md new/advisory-db-20230818/crates/tui/RUSTSEC-2023-0049.md --- old/advisory-db-20230731/crates/tui/RUSTSEC-2023-0049.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20230818/crates/tui/RUSTSEC-2023-0049.md 2023-08-14 19:14:25.000000000 +0200 @@ -0,0 +1,18 @@ +```toml +[advisory] +id = "RUSTSEC-2023-0049" +package = "tui" +date = "2023-08-07" +informational = "unmaintained" +url = "https://github.com/fdehau/tui-rs/issues/654" + +[versions] +patched = [] +unaffected = [] +``` + +# `tui` is unmaintained; use `ratatui` instead + +The [`tui`](https://crates.io/crates/tui) crate is no longer maintained. + +Consider using the [`ratatui`](https://crates.io/crates/ratatui) crate instead.