From dce22c22b29ecd8d66549dcef2382b689b2dbbb3 Mon Sep 17 00:00:00 2001
From: Konrad Borowski <konrad@borowski.pw>
Date: Mon, 17 Sep 2018 08:40:04 +0200
Subject: [PATCH 1/4] Add advisory for yaml-rust

---
 crates/yaml-rust/RUSTSEC-0000-0000.toml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 crates/yaml-rust/RUSTSEC-0000-0000.toml

diff --git a/crates/yaml-rust/RUSTSEC-0000-0000.toml b/crates/yaml-rust/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..b3892d1
--- /dev/null
+++ b/crates/yaml-rust/RUSTSEC-0000-0000.toml
@@ -0,0 +1,17 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "yaml-rust"
+date = "2018-09-17"
+title = "Uncontrolled recursion leads to abort in deserialization"
+description = """
+Affected versions of this crate did not prevent deep recursion while
+deserializing data structures.
+
+This allows an attacker to make a YAML file with deeply nested structures
+that causes an abort while deserializing it.
+
+The flaw was corrected by checking the recursion depth.
+"""
+patched_versions = [">= 0.4.1"]
+url = "https://github.com/chyh1990/yaml-rust/pull/109"
+keywords = ["crash"]

From f22c3798f62e0c1756473b7bbb8618043ff928a0 Mon Sep 17 00:00:00 2001
From: Konrad Borowski <konrad@borowski.pw>
Date: Mon, 17 Sep 2018 08:44:14 +0200
Subject: [PATCH 2/4] Add advisory for serde_yaml

---
 crates/serde_yaml/RUSTSEC-0000-0000.toml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 crates/serde_yaml/RUSTSEC-0000-0000.toml

diff --git a/crates/serde_yaml/RUSTSEC-0000-0000.toml b/crates/serde_yaml/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..fdbae15
--- /dev/null
+++ b/crates/serde_yaml/RUSTSEC-0000-0000.toml
@@ -0,0 +1,18 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "serde_yaml"
+date = "2018-09-17"
+title = "Uncontrolled recursion leads to abort in deserialization"
+description = """
+Affected versions of this crate did not properly check for recursion
+while deserializing aliases.
+
+This allows an attacker to make a YAML file with an alias referring
+to itself causing an abort.
+
+The flaw was corrected by checking the recursion depth.
+"""
+patched_versions = [">= 0.8.4"]
+unaffected_versions = ["< 0.6.0-rc1"]
+url = "https://github.com/dtolnay/serde-yaml/pull/105"
+keywords = ["crash"]

From ee579432c66d76283eed9b2d54793fd27888669f Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sat, 13 Oct 2018 16:15:42 -0700
Subject: [PATCH 3/4] Assign RUSTSEC-2018-0005 to serde_yaml

Original PR: https://github.com/RustSec/advisory-db/pull/61
---
 .../{RUSTSEC-0000-0000.toml => RUSTSEC-2018-0005.toml}          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename crates/serde_yaml/{RUSTSEC-0000-0000.toml => RUSTSEC-2018-0005.toml} (95%)

diff --git a/crates/serde_yaml/RUSTSEC-0000-0000.toml b/crates/serde_yaml/RUSTSEC-2018-0005.toml
similarity index 95%
rename from crates/serde_yaml/RUSTSEC-0000-0000.toml
rename to crates/serde_yaml/RUSTSEC-2018-0005.toml
index fdbae15..9016ee0 100644
--- a/crates/serde_yaml/RUSTSEC-0000-0000.toml
+++ b/crates/serde_yaml/RUSTSEC-2018-0005.toml
@@ -1,5 +1,5 @@
 [advisory]
-id = "RUSTSEC-0000-0000"
+id = "RUSTSEC-2018-0005"
 package = "serde_yaml"
 date = "2018-09-17"
 title = "Uncontrolled recursion leads to abort in deserialization"

From 89aab75c1ba5e3c3d949875f583be859e780d761 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sat, 13 Oct 2018 18:09:39 -0700
Subject: [PATCH 4/4] Assign RUSTSEC-2018-0006 to yaml-rust

Original PR: https://github.com/RustSec/advisory-db/pull/60
---
 .../{RUSTSEC-0000-0000.toml => RUSTSEC-2018-0006.toml}          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename crates/yaml-rust/{RUSTSEC-0000-0000.toml => RUSTSEC-2018-0006.toml} (95%)

diff --git a/crates/yaml-rust/RUSTSEC-0000-0000.toml b/crates/yaml-rust/RUSTSEC-2018-0006.toml
similarity index 95%
rename from crates/yaml-rust/RUSTSEC-0000-0000.toml
rename to crates/yaml-rust/RUSTSEC-2018-0006.toml
index b3892d1..854b81a 100644
--- a/crates/yaml-rust/RUSTSEC-0000-0000.toml
+++ b/crates/yaml-rust/RUSTSEC-2018-0006.toml
@@ -1,5 +1,5 @@
 [advisory]
-id = "RUSTSEC-0000-0000"
+id = "RUSTSEC-2018-0006"
 package = "yaml-rust"
 date = "2018-09-17"
 title = "Uncontrolled recursion leads to abort in deserialization"