Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2023-08-18 19:28:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Fri Aug 18 19:28:54 2023 rev:35 rq:1104494 version:20230818
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2023-08-01 15:38:40.441873868 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1766/cargo-audit-advisory-db.changes
2023-08-18 19:29:25.199430049 +0200
@@ -1,0 +2,15 @@
+Thu Aug 17 23:38:35 UTC 2023 - william.br...@suse.com
+
+- Update to version 20230818:
+ * Assigned RUSTSEC-2022-0093 to ed25519-dalek (#1745)
+ * Add Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
(#1744)
+ * Assigned RUSTSEC-2023-0049 to tui (#1740)
+ * Add unmaintained `tui` advisory (#1739)
+ * Update aliases from GHSA OSV export (#1734)
+ * Assigned RUSTSEC-2023-0048 to intaglio (#1733)
+ * Add advisory for unsoundness in intaglio symbol interners (#1732)
+ * Assigned RUSTSEC-2023-0047 to lmdb-rs (#1730)
+ * report unsoundness of lmdb-rs (#1724)
+ * Fix typos (#1729)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20230731.tar.xz
New:
----
advisory-db-20230818.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.edPHZg/_old 2023-08-18 19:29:25.867431246 +0200
+++ /var/tmp/diff_new_pack.edPHZg/_new 2023-08-18 19:29:25.875431261 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20230731
+Version: 20230818
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.edPHZg/_old 2023-08-18 19:29:25.939431376 +0200
+++ /var/tmp/diff_new_pack.edPHZg/_new 2023-08-18 19:29:25.943431383 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20230731</param>
+ <param name="version">20230818</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">william.br...@suse.com</param>
++++++ advisory-db-20230731.tar.xz -> advisory-db-20230818.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230731/.duplicate-id-guard
new/advisory-db-20230818/.duplicate-id-guard
--- old/advisory-db-20230731/.duplicate-id-guard 2023-07-29
19:20:00.000000000 +0200
+++ new/advisory-db-20230818/.duplicate-id-guard 2023-08-14
19:14:25.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-c180e114f092d808a8efaab98d0138ec1d49f659bfc4edfb340dd84e2fedd88b -
+e315acbba1dcf156464306c5a2fae64532f7b99cfbf4935bf3b894f2174c7de2 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230731/crates/ed25519-dalek/RUSTSEC-2022-0093.md
new/advisory-db-20230818/crates/ed25519-dalek/RUSTSEC-2022-0093.md
--- old/advisory-db-20230731/crates/ed25519-dalek/RUSTSEC-2022-0093.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230818/crates/ed25519-dalek/RUSTSEC-2022-0093.md
2023-08-14 19:14:25.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0093"
+package = "ed25519-dalek"
+date = "2022-06-11"
+categories = ["crypto-failure"]
+url = "https://github.com/MystenLabs/ed25519-unsafe-libs";
+
+[versions]
+patched = [">= 2"]
+```
+
+# Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
+
+Versions of `ed25519-dalek` prior to v2.0 model private and public keys as
+separate types which can be assembled into a `Keypair`, and also provide APIs
+for serializing and deserializing 64-byte private/public keypairs.
+
+Such APIs and serializations are inherently unsafe as the public key is one of
+the inputs used in the deterministic computation of the `S` part of the
signature,
+but not in the `R` value. An adversary could somehow use the signing function
as
+an oracle that allows arbitrary public keys as input can obtain two signatures
+for the same message sharing the same `R` and only differ on the `S` part.
+
+Unfortunately, when this happens, one can easily extract the private key.
+
+Revised public APIs in v2.0 of `ed25519-dalek` do NOT allow a decoupled
+private/public keypair as signing input, except as part of specially labeled
+"hazmat" APIs which are clearly labeled as being dangerous if misused.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230731/crates/tui/RUSTSEC-2023-0049.md
new/advisory-db-20230818/crates/tui/RUSTSEC-2023-0049.md
--- old/advisory-db-20230731/crates/tui/RUSTSEC-2023-0049.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230818/crates/tui/RUSTSEC-2023-0049.md 2023-08-14
19:14:25.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0049"
+package = "tui"
+date = "2023-08-07"
+informational = "unmaintained"
+url = "https://github.com/fdehau/tui-rs/issues/654";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# `tui` is unmaintained; use `ratatui` instead
+
+The [`tui`](https://crates.io/crates/tui) crate is no longer maintained.
+
+Consider using the [`ratatui`](https://crates.io/crates/ratatui) crate instead.
