From 6f59b11780fcb92d3f082d9a0f26c9b0d973144b Mon Sep 17 00:00:00 2001
From: "Sergey \"Shnatsel\" Davidoff" <sdavydov@google.com>
Date: Sat, 26 Sep 2020 19:35:10 +0200
Subject: [PATCH] Advisory for unsound pinning in actix-http

---
 crates/actix-http/RUSTSEC-0000-0000.toml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 crates/actix-http/RUSTSEC-0000-0000.toml

diff --git a/crates/actix-http/RUSTSEC-0000-0000.toml b/crates/actix-http/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..f32dfc9
--- /dev/null
+++ b/crates/actix-http/RUSTSEC-0000-0000.toml
@@ -0,0 +1,19 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "actix-http"
+date = "2019-01-24"
+title = "Use-after-free in BodyStream due to lack of pinning"
+url = "https://github.com/actix/actix-web/issues/1321"
+categories = ["memory-corruption"]
+
+description = """
+Affected versions of this crate did not require the buffer wrapped in `BodyStream` to be pinned,
+but treated it as if it had a fixed location in memory. This may result in a use-after-free.
+ 
+The flaw was corrected by making the trait `MessageBody` require `Unpin`
+and making `poll_next()` function accept `Pin<&mut Self>` instead of `&mut self`.
+"""
+
+# Versions which include fixes for this vulnerability (mandatory)
+[versions]
+patched = [">= 2.0.0-alpha.1"]