Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2024-05-29 19:36:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Wed May 29 19:36:06 2024 rev:40 rq:1177430 version:20240528
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2024-04-04 22:27:20.517704019 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.24587/cargo-audit-advisory-db.changes
2024-05-29 19:36:52.626715764 +0200
@@ -1,0 +2,15 @@
+Tue May 28 05:56:45 UTC 2024 - william.br...@suse.com
+
+- Update to version 20240528:
+ * Add some civility language to HOWTO_UNMAINTAINED.md (#1972)
+ * Synchronize IDs (2024-05-21) (#1966)
+ * Assigned RUSTSEC-2024-0342 to vodozemac (#1965)
+ * Add CVE-2024-34063 for vodozemac (#1955)
+ * Assigned RUSTSEC-2024-0341 to tls-listener (#1964)
+ * Assigned RUSTSEC-2024-0340 to tor-circmgr (#1963)
+ * add CVE-2024-28854 for tls-listener (#1926)
+ * Add advisory for tor-circmgr TROVE-2024-004 (#1958)
+ * Assigned RUSTSEC-2024-0339 to tor-circmgr (#1962)
+ * Add advisory for tor-circmgr TROVE-2024-003 (#1957)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20240330.tar.xz
New:
----
advisory-db-20240528.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.wxhzrJ/_old 2024-05-29 19:36:53.078732122 +0200
+++ /var/tmp/diff_new_pack.wxhzrJ/_new 2024-05-29 19:36:53.082732267 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20240330
+Version: 20240528
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.wxhzrJ/_old 2024-05-29 19:36:53.118733570 +0200
+++ /var/tmp/diff_new_pack.wxhzrJ/_new 2024-05-29 19:36:53.126733859 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20240330</param>
+ <param name="version">20240528</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">william.br...@suse.com</param>
++++++ advisory-db-20240330.tar.xz -> advisory-db-20240528.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20240330/.duplicate-id-guard
new/advisory-db-20240528/.duplicate-id-guard
--- old/advisory-db-20240330/.duplicate-id-guard 2024-03-25
10:34:40.000000000 +0100
+++ new/advisory-db-20240528/.duplicate-id-guard 2024-05-26
22:27:57.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-c815ab1ade2f35f9cd20b24ae50fe24ba9b0a9a1461f04f787bdd4c89e835534 -
+033b059b6cbbf2107fc1270372f4f929601a920f3927c9d46b3f1f937901c634 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20240330/HOWTO_UNMAINTAINED.md
new/advisory-db-20240528/HOWTO_UNMAINTAINED.md
--- old/advisory-db-20240330/HOWTO_UNMAINTAINED.md 2024-03-25
10:34:40.000000000 +0100
+++ new/advisory-db-20240528/HOWTO_UNMAINTAINED.md 2024-05-26
22:27:57.000000000 +0200
@@ -7,6 +7,11 @@
of unmaintained crates within a particular project, and also serve to guide
switching to maintained alternatives.
+When approaching a potentially unmaintained crate, do not behave rudely
+towards open soruce maintainers. Submitting a RUSTSEC advisory for an
+unmaintained crate should not be treated as a weapon to coerce open source
+maintainers.
+
## Definition of an "unmaintained" crate
We consider crates unmaintained when they fall into either of the following
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/cassandra-cpp/RUSTSEC-2024-0017.md
new/advisory-db-20240528/crates/cassandra-cpp/RUSTSEC-2024-0017.md
--- old/advisory-db-20240330/crates/cassandra-cpp/RUSTSEC-2024-0017.md
2024-03-25 10:34:40.000000000 +0100
+++ new/advisory-db-20240528/crates/cassandra-cpp/RUSTSEC-2024-0017.md
2024-05-26 22:27:57.000000000 +0200
@@ -7,11 +7,12 @@
informational = "unsound"
categories = ["memory-corruption", "memory-exposure"]
keywords = ["memory-safety", "use-after-free"]
-aliases = ["GHSA-x9xc-63hg-vcfq"]
+aliases = ["CVE-2024-27284", "GHSA-x9xc-63hg-vcfq"]
[versions]
patched = [">= 3.0.0"]
```
+
# Non-idiomatic use of iterators leads to use after free
Code that attempts to use an item (e.g., a row) returned by an iterator after
the iterator has advanced to the next item will be accessing freed memory and
experience undefined behaviour. Code that uses the item and then advances the
iterator is unaffected. This problem has always existed.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/cosmwasm-std/RUSTSEC-2024-0338.md
new/advisory-db-20240528/crates/cosmwasm-std/RUSTSEC-2024-0338.md
--- old/advisory-db-20240330/crates/cosmwasm-std/RUSTSEC-2024-0338.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/cosmwasm-std/RUSTSEC-2024-0338.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0338"
+package = "cosmwasm-std"
+date = "2024-04-24"
+url = "https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-002.md";
+keywords = ["overflow", "integer", "arithmetic"]
+aliases = ["GHSA-8724-5xmm-w5xq"]
+
+[versions]
+patched = [">= 1.4.4, < 1.5.0", ">= 1.5.4, < 2.0.0", ">= 2.0.2"]
+unaffected = ["< 1.3.0"]
+```
+
+# Arithmetic overflows in cosmwasm-std
+
+Some mathematical operations in `cosmwasm-std` use wrapping math instead of
+panicking on overflow for very big numbers. This can lead to wrong
calculations in contracts
+that use these operations.
+
+Affected functions:
+
+- `Uint{256,512}::pow` / `Int{256,512}::pow`
+- `Int{256,512}::neg`
+
+Affected if `overflow-checks = true` is not set:
+
+- `Uint{64,128}::pow` / `Int{64,128}::pow`
+- `Int{64,128}::neg`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/crayon/RUSTSEC-2024-0018.md
new/advisory-db-20240528/crates/crayon/RUSTSEC-2024-0018.md
--- old/advisory-db-20240330/crates/crayon/RUSTSEC-2024-0018.md 2024-03-25
10:34:40.000000000 +0100
+++ new/advisory-db-20240528/crates/crayon/RUSTSEC-2024-0018.md 2024-05-26
22:27:57.000000000 +0200
@@ -6,6 +6,7 @@
url = "https://github.com/shawnscode/crayon/issues/109";
categories = ["memory-corruption"]
keywords = ["std::mem::uninitialized", "address-sanitizer"]
+aliases = ["GHSA-xfhw-6mc4-mgxf"]
[versions]
patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/eyre/RUSTSEC-2024-0021.md
new/advisory-db-20240528/crates/eyre/RUSTSEC-2024-0021.md
--- old/advisory-db-20240330/crates/eyre/RUSTSEC-2024-0021.md 2024-03-25
10:34:40.000000000 +0100
+++ new/advisory-db-20240528/crates/eyre/RUSTSEC-2024-0021.md 2024-05-26
22:27:57.000000000 +0200
@@ -5,6 +5,7 @@
date = "2024-03-05"
url = "https://github.com/eyre-rs/eyre/issues/141";
categories = ["memory-corruption"]
+aliases = ["GHSA-4v52-7q2x-v4xj"]
[versions]
patched = [">= 0.6.12"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/gix-transport/RUSTSEC-2024-0335.md
new/advisory-db-20240528/crates/gix-transport/RUSTSEC-2024-0335.md
--- old/advisory-db-20240330/crates/gix-transport/RUSTSEC-2024-0335.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/gix-transport/RUSTSEC-2024-0335.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,91 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0335"
+package = "gix-transport"
+date = "2024-04-13"
+url =
"https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh";
+categories = ["code-execution"]
+aliases = ["CVE-2024-32884", "GHSA-98p4-xjmm-8mfh"]
+
+[versions]
+patched = [">= 0.42.0"]
+```
+
+# gix-transport indirect code execution via malicious username
+
+### Summary
+
+`gix-transport` does not check the username part of a URL for text that the
external `ssh` program would interpret as an option. A specially crafted clone
URL can smuggle options to SSH. The possibilities are syntactically limited,
but if a malicious clone URL is used by an application whose current working
directory contains a malicious file, arbitrary code execution occurs.
+
+The first `gix` crate with the fix [is version
0.62.0](https://crates.io/crates/gix/0.62.0), and the first fixed `gix` CLI is
[version 0.35](https://github.com/Byron/gitoxide/releases/tag/v0.35.0).
`gix-transport` [at version
v0.42](https://crates.io/crates/gix-transport/0.42.0) is the lowest-level
plumbing crate with the fix.
+
+### Details
+
+This is related to the patched vulnerability
[RUSTSEC-2023-0064](https://rustsec.org/advisories/RUSTSEC-2023-0064.html), but
appears less severe due to a greater attack complexity. Since
<https://github.com/Byron/gitoxide/pull/1032>, `gix-transport` checks the host
and path portions of a URL for text that has a `-` in a position that will
cause `ssh` to interpret part of all of the URL as an option argument. But it
does not check the non-mandatory username portion of the URL.
+
+As in Git, when an address is a URL of the form
`ssh://username@hostname/path`, or when it takes the special form
`username@hostname:dirs/repo`, this is treated as an SSH URL. `gix-transport`
will replace some characters in `username` with their `%`-based URL encodings,
but otherwise passes `username@hostname` as an argument to the external `ssh`
command. This happens even if `username` begins with a hyphen. In that case,
`ssh` treats that argument as an option argument, and attempts to interpret and
honor it as a sequence of one or more options possibly followed by an operand
for the last option.
+
+This is harder to exploit than
[RUSTSEC-2023-0064](https://rustsec.org/advisories/RUSTSEC-2023-0064.html),
because the possibilities are constrained by:
+
+- The difficulty of forming an option argument `ssh` accepts, given that
characters such as `=`, `/`, and `\`, are URL-encoded, `:` is removed, and the
argument passed to `ssh` contains the `@` sign and subsequent host identifier,
which in an effective attack must be parseable as a suffix of the operand
passed to the last option.
+
+ The inability to include a literal `=` prevents the use of `-oNAME=VALUE`
(e.g., `-oProxyCommand=payload`). The inability to include a literal `/` or `\`
prevents smuggling in a path operand residing outside the current working
directory, incuding on Windows. (Although a `~` character may be smuggled in,
`ssh` does not perform its own tilde expansion, so it does not form an absolute
path.)
+
+- The difficulty, or perhaps impossibility, of completing a connection (other
than when arbitrary code execution has been achieved). This complicates or
altogether prevents the use of options such as `-A` and `-X` together with a
connection to a real but malicious server. The reason a connection cannot
generally be completed when exploiting this vulnerability is that, because the
argument `gix-transport` intends as a URL is treated as an option argument,
`ssh` treats the subsequent non-option argument `git-upload-pack` as the host
instead of the command, but it is not a valid host name.
+
+ Although `ssh` supports aliases for hosts, even if `git-upload-pack` could
be made an alias, that is made difficult by the URL-encoding transformation.
+
+However, an attacker who is able to cause a specially named `ssh`
configuration file to be placed in the current working directory can smuggle in
an `-F` option referencing the file, and this allows arbitrary command
execution.
+
+This scenario is especially plausible because programs that operate on git
repositories are often run in untrusted git repositories, sometimes even to
operate on another repository. Situations where this is likely, such that an
attacker could predict or arrange it, may for some applications include a
malicious repository with a malicious submodule configuration.
+
+Other avenues of exploitation exist, but appear to be less severe. For
example, the `-E` option can be smuggled to create or append to a file in the
current directory (or its target, if it is a symlink). There may also be other
significant ways to exploit this that have not yet been discovered, or that
would arise with new options in future versions of `ssh`.
+
+### PoC
+
+To reproduce the known case that facilitates arbitrary code execution, first
create a file in the current directory named `configf...@example.com`, of the
form
+
+```text
+ProxyCommand payload
+```
+
+where `payload` is a command with an observable side effect. On Unix-like
systems, this could be `date | tee vulnerable` or an `xdg-open`, `open`, or
other command command to launch a graphical application. On Windows, this could
be the name of a graphical application already in the search path, such as
`calc.exe`.
+
+(Although the syntax permitted in the value of `ProxyCommand` may vary by
platform, this is not limited to running commands in the current directory.
That limitation only applies to paths directly smuggled in the username, not to
the contents of a separate malicious configuration file. Arbitrary other
settings may be specified in `configf...@example.com` as well.)
+
+Then run:
+
+```sh
+gix clone 'ssh://-fconfigf...@example.com/abc'
+```
+
+Or:
+
+```sh
+gix clone -- '-fconfigf...@example.com:abc/def'
+```
+
+(The `--` is required to ensure that `gix` is really passing the argument as a
URL for use in `gix-transport`, rather than interpreting it as an option
itself, which would not necessarily be a vulnerability.)
+
+In either case, the payload specified in `configf...@example.com` runs, and
its side effect can be observed.
+
+Other cases may likewise be produced, in either of the above two forms of SSH
addresses. For example, to create or append to the file `err...@example.com`,
or to create or append to its target if it is a symlink:
+
+```sh
+gix clone 'ssh://-eerr...@example.com/abc'
+```
+
+```sh
+gix clone -- '-eerr...@example.com:abc/def'
+```
+
+### Impact
+
+As in
[RUSTSEC-2023-0064](https://rustsec.org/advisories/RUSTSEC-2023-0064.html),
this would typically require user interaction to trigger an attempt to clone or
otherwise connect using the malicious URL. Furthermore, known means of
exploiting this vulnerability to execute arbitrary commands require further
preparatory steps to establish a specially named file in the current directory.
The impact is therefore expected to be lesser, though it is difficult to
predict it with certainty because it is not known exactly what scenarios will
arise when using the `gix-transport` library.
+
+Users who use applications that make use of `gix-transport` are potentially
vulnerable, especially:
+
+- On repositories with submodules that are automatically added, depending how
the application manages submodules.
+- When operating on other repositories from inside an untrusted repository.
+- When reviewing contributions from untrusted developers by checking out a
branch from an untrusted fork and performing clones from that location.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20240330/crates/h2/RUSTSEC-2024-0332.md
new/advisory-db-20240528/crates/h2/RUSTSEC-2024-0332.md
--- old/advisory-db-20240330/crates/h2/RUSTSEC-2024-0332.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/h2/RUSTSEC-2024-0332.md 2024-05-26
22:27:57.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0332"
+package = "h2"
+date = "2024-04-03"
+references = ["https://seanmonstar.com/blog/hyper-http2-continuation-flood/";]
+categories = ["denial-of-service"]
+keywords = ["http", "http2", "h2"]
+aliases = ["GHSA-q6cp-qfwq-4gcv"]
+
+[versions]
+patched = ["^0.3.26", ">= 0.4.4"]
+```
+
+# Degradation of service in h2 servers with CONTINUATION Flood
+
+An attacker can send a flood of CONTINUATION frames, causing `h2` to process
them indefinitely.
+This results in an increase in CPU usage.
+
+Tokio task budget helps prevent this from a complete denial-of-service, as the
server can still
+respond to legitimate requests, albeit with increased latency.
+
+More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
+
+Patches available for 0.4.x and 0.3.x versions.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/hpack/RUSTSEC-2023-0085.md
new/advisory-db-20240528/crates/hpack/RUSTSEC-2023-0085.md
--- old/advisory-db-20240330/crates/hpack/RUSTSEC-2023-0085.md 2024-03-25
10:34:40.000000000 +0100
+++ new/advisory-db-20240528/crates/hpack/RUSTSEC-2023-0085.md 2024-05-26
22:27:57.000000000 +0200
@@ -6,6 +6,7 @@
url = "https://github.com/mlalic/hpack-rs/issues/11";
categories = ["denial-of-service"]
references =
["https://github.com/sno2/hpack-rs-patched/commit/d669282924a95311599e9e7dd53869ee96b3a2f5";]
+aliases = ["GHSA-w7hm-hmxv-pvhf"]
[versions]
patched = []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/libdav1d-sys/RUSTSEC-2024-0016.md
new/advisory-db-20240528/crates/libdav1d-sys/RUSTSEC-2024-0016.md
--- old/advisory-db-20240330/crates/libdav1d-sys/RUSTSEC-2024-0016.md
2024-03-25 10:34:40.000000000 +0100
+++ new/advisory-db-20240528/crates/libdav1d-sys/RUSTSEC-2024-0016.md
2024-05-26 22:27:57.000000000 +0200
@@ -6,6 +6,7 @@
url = "https://www.cvedetails.com/cve/CVE-2024-1580/";
categories = ["memory-corruption"]
keywords = ["integer-overflow"]
+aliases = ["GHSA-mc39-h54g-pvw6"]
[affected]
[versions]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/libp2p-tokio-socks5/RUSTSEC-2024-0334.md
new/advisory-db-20240528/crates/libp2p-tokio-socks5/RUSTSEC-2024-0334.md
--- old/advisory-db-20240330/crates/libp2p-tokio-socks5/RUSTSEC-2024-0334.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/libp2p-tokio-socks5/RUSTSEC-2024-0334.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0334"
+package = "libp2p-tokio-socks5"
+date = "2024-04-05"
+url =
"https://github.com/comit-network/rust-libp2p-tokio-socks5/commit/e1fdc92ca69ffd254824ab80fbad5660f4aac911";
+informational = "unmaintained"
+license = "CC-BY-4.0"
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# `libp2p-tokio-socks5` is unmaintained
+
+Note the repository was archived without an issue so we link directly
+to the commit that marked the repository as unmaintained.
+
+To the best of the original authors knowledge the crate has no
+vulnerabilities as of the last release, it is just unmaintained due to
+laziness - new maintainer welcome.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/pqc_kyber/RUSTSEC-2023-0079.md
new/advisory-db-20240528/crates/pqc_kyber/RUSTSEC-2023-0079.md
--- old/advisory-db-20240330/crates/pqc_kyber/RUSTSEC-2023-0079.md
2024-03-25 10:34:40.000000000 +0100
+++ new/advisory-db-20240528/crates/pqc_kyber/RUSTSEC-2023-0079.md
2024-05-26 22:27:57.000000000 +0200
@@ -34,6 +34,13 @@
The permanent link for the KyberSlash pages is
[https://kyberslash.cr.yp.to](https://kyberslash.cr.yp.to).
-## Mitigation status in qpc_kyber crate
+## Mitigation status in `pqc_kyber` crate
-The issues has not been resolved in the `qpc_kyber` crate. A third-party fork
that mitigates this attack vector has been published as
[`safe_pqc_kyber`](https://crates.io/crates/safe_pqc_kyber).
+The issue has not been resolved in the upstream `pqc_kyber` crate.
+
+A third-party fork that mitigates this attack vector has been published as
[`safe_pqc_kyber`](https://crates.io/crates/safe_pqc_kyber).
+
+## Alternatives
+
+The [`ml-kem`](https://crates.io/crates/ml-kem) crate is a maintained
+alternative pure Rust implementation of ML-KEM / Kyber.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/puccinier/RUSTSEC-2024-0331.md
new/advisory-db-20240528/crates/puccinier/RUSTSEC-2024-0331.md
--- old/advisory-db-20240330/crates/puccinier/RUSTSEC-2024-0331.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/puccinier/RUSTSEC-2024-0331.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0331"
+package = "puccinier"
+date = "2024-03-31"
+url = "https://github.com/catppuccin/toolbox/issues/66";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# Puccinier is unmainted.
+
+The tool has been deprecated in favor of Catppuccin's new tool,
[whiskers](https://github.com/catppuccin/toolbox/tree/main/whiskers)
[(crates.io)](https://crates.io/crates/catppuccin-whiskers).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/rsa-export/RUSTSEC-2024-0333.md
new/advisory-db-20240528/crates/rsa-export/RUSTSEC-2024-0333.md
--- old/advisory-db-20240330/crates/rsa-export/RUSTSEC-2024-0333.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/rsa-export/RUSTSEC-2024-0333.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0333"
+package = "rsa-export"
+date = "2024-04-06"
+references = [
+ "https://crates.io/crates/rsa-export/0.3.3";,
+
"https://gitlab.com/smallglitch/rsa-export/-/commit/e29f17170d655a6f62eca8bf1f64ef0ce5807058";,
+]
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `rsa-export` is unmaintained
+
+This crate has been deprecated in favour of using the native support for
exporting RSA keys into the standard PEM format.
+See [docs.rs documentation].
+
+In addition to that, the operations in this crate (arithmetic and Base64
encoding) are not done in constant-time,
+potentially [exposing the user to sidechannel attacks].
+
+[docs.rs documentation]:
https://docs.rs/rsa/0.9.6/rsa/index.html#pkcs8-rsa-key-encoding
+[exposing the user to sidechannel attacks]:
https://arxiv.org/pdf/2108.04600.pdf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/rustls/RUSTSEC-2024-0336.md
new/advisory-db-20240528/crates/rustls/RUSTSEC-2024-0336.md
--- old/advisory-db-20240330/crates/rustls/RUSTSEC-2024-0336.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/rustls/RUSTSEC-2024-0336.md 2024-05-26
22:27:57.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0336"
+package = "rustls"
+date = "2024-04-19"
+url =
"https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj";
+categories = ["denial-of-service"]
+aliases = ["CVE-2024-32650", "GHSA-6g7w-8wpp-frhj"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.23.5", ">= 0.22.4, < 0.23.0", ">= 0.21.11, < 0.22.0"]
+
+[affected]
+functions = { "rustls::ConnectionCommon::complete_io" = ["<= 0.23.4", "<=
0.22.3", "<= 0.21.10", "0.20"] }
+```
+
+# `rustls::ConnectionCommon::complete_io` could fall into an infinite loop
based on network input
+
+If a `close_notify` alert is received during a handshake, `complete_io`
+does not terminate.
+
+Callers which do not call `complete_io` are not affected.
+
+`rustls-tokio` and `rustls-ffi` do not call `complete_io`
+and are not affected.
+
+`rustls::Stream` and `rustls::StreamOwned` types use
+`complete_io` and are affected.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/tls-listener/RUSTSEC-2024-0341.md
new/advisory-db-20240528/crates/tls-listener/RUSTSEC-2024-0341.md
--- old/advisory-db-20240330/crates/tls-listener/RUSTSEC-2024-0341.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/tls-listener/RUSTSEC-2024-0341.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0341"
+package = "tls-listener"
+date = "2024-03-15"
+url =
"https://github.com/tmccombs/tls-listener/security/advisories/GHSA-2qph-qpvm-2qf7";
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+aliases = ["CVE-2024-28854", "GHSA-2qph-qpvm-2qf7"]
+
+[versions]
+patched = [">= 0.10.0"]
+
+[affected]
+functions = { "tls_listener::TlsListener::new" = ["< 0.10.0"] }
+```
+
+# Slow loris vulnerability with default configuration
+
+tls-listener is a rust lang wrapper around a connection listener to support
TLS. With the default configuration of tls-listener, a malicious user can open
6.4 `TcpStream`s a second, sending 0 bytes, and can trigger a DoS. The default
configuration options make any public service using `TlsListener::new()`
vulnerable to a slow-loris DoS attack. This impacts any publicly accessible
service using the default configuration of tls-listener in versions prior to
0.10.0. Users are advised to upgrade. Users unable to upgrade may mitigate this
by passing a large value, such as `usize::MAX` as the parameter to
`Builder::max_handshakes`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/tor-circmgr/RUSTSEC-2024-0339.md
new/advisory-db-20240528/crates/tor-circmgr/RUSTSEC-2024-0339.md
--- old/advisory-db-20240330/crates/tor-circmgr/RUSTSEC-2024-0339.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/tor-circmgr/RUSTSEC-2024-0339.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,86 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0339"
+package = "tor-circmgr"
+date = "2024-05-15"
+url = "https://gitlab.torproject.org/tpo/core/arti/-/issues/1409";
+keywords = ["tor", "privacy", "information-leak"]
+aliases = ["CVE-2024-35312", "CVE-2024-35313", "GHSA-9328-gcfq-p269",
"GHSA-c96h-cxx6-rmg9", "TROVE-2024-003"]
+related = ["TROVE-2024-004"]
+
+[versions]
+patched = [">= 0.18.1"]
+unaffected = ["< 0.18.0"]
+```
+
+# Tor path lengths too short when "Vanguards lite" configured
+
+## Description
+
+When building anonymizing circuits to or from an onion service with
+'lite' vanguards (the default) enabled,
+the circuit manager code would build the circuits with one hop too few.
+
+## Impact
+
+This makes users of this code more vulnerable to some kinds of traffic analysis
+when they run or visit onion services.
+
+## Vulnerable configurations and use cases
+
+Arti configured with "vangaurds lite" is vulnerable;
+this is the default.
+
+Only users who make connections to Onion Services
+(Tor Hidden Services) are affected.
+Note, however, that when used as a browser proxy,
+malicious web pages can typically make such connections.
+
+## Mitigation
+
+Enable the "full vanguards" feature.
+This has some cost in terms of performance, reliability,
+and impact on the Tor Network.
+
+(Arti configured with "full vanguards" has a similar bug,
+TROVE-2024-04,
+so this will not deliver the full incressed security of "full vanguards";
+but the security level of affected versions of Arti
+configured with "full vanguards" still exceeds
+the intended security level of the "vanguards lite" configuration.)
+
+Alternatively,
+preventing access to Tor Hidden Services will avoid the problem,
+with corresponding loss of functionality.
+This can be achieved in the Arti configuration file with:
+
+```
+[address_filter]
+allow_onion_addrs = false
+```
+
+## Resolution
+
+Rebuild `arti` (or other affected applications)
+with a fixed version of `tor-circmgr`:
+0.18.1 or later.
+
+The fixed `tor-circmgr` is on crates.io and available in
+[the upstream git repository](https://gitlab.torproject.org/tpo/core/arti)
+at signed tag `arti-v1.2.3`.
+
+### Note about older versions
+
+Even though earlier versions are classified as "not affected",
+this is because in those versions the Vanguards feature
+is experimental, or absent.
+Downgrading worsens security, rather than improving it.
+
+## References
+
+ * [arti#1409](https://gitlab.torproject.org/tpo/core/arti/-/issues/1409):
+ the ticket in the Arti bugtracker.
+ *
[TROVE](https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE)
+ Tor Project vulnerability database.
+ * [arti#1400](https://gitlab.torproject.org/tpo/core/arti/-/issues/1400):
+ the similar bug with the full vanguards feature.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/tor-circmgr/RUSTSEC-2024-0340.md
new/advisory-db-20240528/crates/tor-circmgr/RUSTSEC-2024-0340.md
--- old/advisory-db-20240330/crates/tor-circmgr/RUSTSEC-2024-0340.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/tor-circmgr/RUSTSEC-2024-0340.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,78 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0340"
+package = "tor-circmgr"
+date = "2024-05-15"
+url = "https://gitlab.torproject.org/tpo/core/arti/-/issues/1409";
+keywords = ["tor", "privacy", "information-leak"]
+aliases = ["CVE-2024-35313", "GHSA-c96h-cxx6-rmg9", "TROVE-2024-004"]
+related = ["TROVE-2024-003"]
+
+[versions]
+patched = [">= 0.18.1"]
+unaffected = ["< 0.18.0"]
+```
+
+# Tor path lengths too short when "full Vanguards" configured
+
+## Description
+
+When building anonymizing circuits to or from an onion service with
+full vanguards enabled,
+the circuit manager code would build the circuits with one hop too few.
+
+## Impact
+
+This makes users of this code more vulnerable to some kinds of traffic analysis
+when they run or visit onion services.
+
+## Vulnerable configurations and use cases
+
+Arti configured with "full vangaurds" is vulnerable.
+
+Only users who make connections to Onion Services
+(Tor Hidden Services) are affected.
+Note, however, that when used as a browser proxy,
+malicious web pages can typically make such connections.
+
+## Mitigation
+
+Preventing access to Tor Hidden Services will avoid the problem,
+with corresponding loss of functionality.
+This can be achieved in the Arti configuration file with:
+
+```
+[address_filter]
+allow_onion_addrs = false
+```
+
+Changing the configuration (eg to turn off vanguards)
+reclassifies the behaviour as "as configured",
+but reduces security rather than improving it,
+so is not a mitigation.
+
+## Resolution
+
+Rebuild `arti` (or other affected applications)
+with a fixed version of `tor-circmgr`:
+0.18.1 or later.
+
+The fixed `tor-circmgr` is on crates.io and available in
+[the upstream git repository](https://gitlab.torproject.org/tpo/core/arti)
+at signed tag `arti-v1.2.3`.
+
+### Note about older versions
+
+Even though earlier versions are classified as "not affected",
+this is because in those versions the Vanguards feature
+is experimental, or absent.
+Downgrading worsens security, rather than improving it.
+
+## References
+
+ * [arti#1400](https://gitlab.torproject.org/tpo/core/arti/-/issues/1400):
+ the ticket in the Arti bugtracker.
+ *
[TROVE](https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE)
+ Tor Project vulnerability database.
+ * [arti#1409](https://gitlab.torproject.org/tpo/core/arti/-/issues/1409):
+ the similar bug with the vanguards lite feature.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/transpose/RUSTSEC-2023-0080.md
new/advisory-db-20240528/crates/transpose/RUSTSEC-2023-0080.md
--- old/advisory-db-20240330/crates/transpose/RUSTSEC-2023-0080.md
2024-03-25 10:34:40.000000000 +0100
+++ new/advisory-db-20240528/crates/transpose/RUSTSEC-2023-0080.md
2024-05-26 22:27:57.000000000 +0200
@@ -5,6 +5,7 @@
date = "2023-12-18"
url = "https://github.com/ejmahler/transpose/issues/11";
categories = ["memory-corruption"]
+aliases = ["GHSA-5gmm-6m36-r7jh"]
[versions]
patched = [">= 0.2.3"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/vodozemac/RUSTSEC-2024-0342.md
new/advisory-db-20240528/crates/vodozemac/RUSTSEC-2024-0342.md
--- old/advisory-db-20240330/crates/vodozemac/RUSTSEC-2024-0342.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/vodozemac/RUSTSEC-2024-0342.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0342"
+package = "vodozemac"
+date = "2024-05-02"
+url =
"https://github.com/matrix-org/vodozemac/security/advisories/GHSA-c3hm-hxwf-g5c6";
+categories = ["memory-exposure"]
+aliases = ["CVE-2024-34063", "GHSA-c3hm-hxwf-g5c6"]
+
+[versions]
+patched = [">= 0.6.0"]
+unaffected = ["< 0.5.0"]
+```
+
+# Degraded secret zeroization capabilities
+
+Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization
capabilities,
+due to changes in third-party cryptographic dependencies (the Dalek crates),
+which moved secret zeroization capabilities behind a feature flag while
+vodozemac disabled the default feature set.
+
+## Impact
+
+The degraded zeroization capabilities could result in the production of more
+memory copies of encryption secrets and secrets could linger in memory longer
+than necessary. This marginally increases the risk of sensitive data exposure.
+
+Overall, we consider the impact of this issue to be low. Although cryptographic
+best practices recommend the clearing of sensitive information from memory once
+it's no longer needed, the inherent limitations of Rust regarding absolute
+zeroization reduce the practical severity of this lapse.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/whoami/RUSTSEC-2024-0020.md
new/advisory-db-20240528/crates/whoami/RUSTSEC-2024-0020.md
--- old/advisory-db-20240330/crates/whoami/RUSTSEC-2024-0020.md 2024-03-25
10:34:40.000000000 +0100
+++ new/advisory-db-20240528/crates/whoami/RUSTSEC-2024-0020.md 2024-05-26
22:27:57.000000000 +0200
@@ -6,6 +6,7 @@
url = "https://github.com/ardaku/whoami/issues/91";
categories = ["denial-of-service", "memory-corruption"]
keywords = ["buffer-overflow", "stack-buffer-overflow", "cwe-121"]
+aliases = ["GHSA-w5w5-8vfh-xcjq"]
[affected]
# Other Unix OSes that aren't Linux or macOS are affected as well.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20240330/crates/zip_next/RUSTSEC-2024-0337.md
new/advisory-db-20240528/crates/zip_next/RUSTSEC-2024-0337.md
--- old/advisory-db-20240330/crates/zip_next/RUSTSEC-2024-0337.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240528/crates/zip_next/RUSTSEC-2024-0337.md
2024-05-26 22:27:57.000000000 +0200
@@ -0,0 +1,13 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0337"
+package = "zip_next"
+date = "2024-04-20"
+url = "https://github.com/zip-rs/zip/issues/446";
+informational = "unmaintained"
+[versions]
+patched = []
+```
+# The crate `zip_next` has been renamed to `zip`.
+
+Please switch to the new name. `zip_next` will receive no further releases.
