OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-01 09:10:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
515 Commits 1 Branch 0 Tags
2a0ed62cd1bca5a8ce8765caa022eb8db242cd3e
Commit Graph

234 Commits

Author SHA1 Message Date
Tony Arcieri
2a0ed62cd1 Assign RUSTSEC-2020-0011 to plutonium 
Original PR: https://github.com/RustSec/advisory-db/pull/268
 2020-04-24 12:30:55 -07:00
Naja Melan
ab1840c2be Try an empty array for patched versions. 
Co-Authored-By: Tony Arcieri <bascule@gmail.com>
 2020-04-24 06:05:59 +00:00
Naja Melan
b761cd7428 Advisory for plutonium. 2020-04-23 23:26:08 +02:00
Tony Arcieri
7a2a72d069 Assign RUSTSEC-2017-0007 to lz4-compress 
Original PR: https://github.com/RustSec/advisory-db/pull/264
 2020-04-16 17:23:59 -07:00
Sergey "Shnatsel" Davidoff
6282ddf273 change advisory number to pass the linter 2020-04-17 02:07:56 +02:00
Sergey "Shnatsel" Davidoff
bbcceb735f Mark lz4-compress as unmaintained 2020-04-17 02:04:58 +02:00
Tony Arcieri
c427489358 Assign RUSTSEC-2020-0010 to tiberius 
Original PR: https://github.com/RustSec/advisory-db/pull/262
 2020-04-16 08:59:42 -07:00
Tony Arcieri
cce1d47240 Add tiberius unmaintained advisory 2020-04-16 08:46:03 -07:00
Tony Arcieri
577308d91b Assign RUSTSEC-2020-0009 to flatbuffers 
Original PR: https://github.com/RustSec/advisory-db/pull/259
 2020-04-14 07:48:53 -07:00
Eduardo Sánchez Muñoz
4399b9e310 Improve advisory for flatbuffers. 2020-04-11 16:09:15 +02:00
Eduardo Sánchez Muñoz
cbeef93cf0 Add advisory for flatbuffers 2020-04-11 13:25:30 +02:00
Pavlos Poulakis
c22f80eb55 Add unaffected field to RUSTSEC-2020-0008. 2020-04-01 13:28:48 +01:00
Eliza Weisman
9889ed0831 Fix patched version for RUSTSEC-2020-0008 
The vulnerability description for advisory RUSTSEC-2020-0008, "Flaw in
hyper allows request smuggling by sending a body in GET requests", lists
an incorrect patched version. The advisory states that the vulnerability
was fixed in `hyper` 0.12.35, but `hyper`'s changelog [shows][1] that 
the patch (hyperium/hyper@23fc8b0) was published in 0.12.34. I believe
that this means that `cargo audit` will incorrectly report patched 
versions as vulnerable.

This PR corrects the listed version.

[1]: https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v01234-2019-09-04
 2020-03-31 10:41:53 -07:00
Tony Arcieri
6053e3a05f Assign RUSTSEC-2020-0008 to hyper 
Original PR: https://github.com/RustSec/advisory-db/pull/255
 2020-03-31 10:07:02 -07:00
Demi M. Obenour
91eed85346 Note that another vulnerability is needed for RCE 
Also make some trivial changes to pass the linter.
 2020-03-30 18:59:14 -04:00
Demi M. Obenour
8b6786f78c Merge branch 'master' into smuggling 2020-03-30 18:38:47 -04:00
Tony Arcieri
4de36fe70a Assign RUSTSEC-2020-0007 to bitvec 
Original PR: https://github.com/RustSec/advisory-db/pull/253
 2020-03-30 12:45:16 -07:00
Alexander Payne
70389f6a25 Report memory management error in bitvec 
See myrrlyn/bitvec#55
 2020-03-27 16:10:15 -06:00
Tony Arcieri
ab9cad4eba Assign RUSTSEC-2020-0006 to bumpalo 
Original PR: https://github.com/RustSec/advisory-db/pull/251
 2020-03-24 14:21:56 -07:00
Nick Fitzgerald
2a32306fa8 bumpalo: Report memory exposure bug in realloc 2020-03-24 14:12:17 -07:00
Tony Arcieri
da46c54637 Assign RUSTSEC-2020-0005 to cbox 
Original PR: https://github.com/RustSec/advisory-db/pull/246
 2020-03-23 09:25:44 -07:00
Tony Arcieri
d99e1f9c94 Merge branch 'master' into cbox 2020-03-23 09:09:25 -07:00
Paul Hummer
ca7a01db12 fix: update patched version for 2019-0028 
This patch updates the `RUSTSEC-2019-0028` advisory to show a patched
version is available. The patch was added [in PR 5554](https://github.com/google/flatbuffers/pull/5554),
and released with version `0.6.1`.
 2020-03-19 15:46:22 -06:00
Eduardo Sánchez Muñoz
ce9b3be5b3 Add advisory for cbox 2020-03-19 20:23:50 +01:00
Demi M. Obenour
0d7868ccb9 Add hyper request smuggling vulnerability 2020-03-19 11:41:39 -04:00
Sergey "Shnatsel" Davidoff
7797133c67 Add CVE mapping 2020-03-18 17:15:13 +01:00
Tony Arcieri
1880f0baf8 RUSTSEC-2016-0005: move md-5 crate to legacy algorithms 
https://www.kb.cert.org/vuls/id/836068/
 2020-03-15 15:43:02 -07:00
Steven Troxler
b02ff94044 Add md5 to RustCrypto digest algorithms 
When migrating a codebase off of rust-crypto, I encountered a few uses of the md5 digest, and realized that it was missing from this advisory. Since deprecations are good onboarding tasks for folks new to rust (like me), I figured it would be helpful to explicitly state here that RustCrypto has an `md-5` crate you can use as (almost) a drop-in replacement
 2020-03-14 14:32:08 -07:00
Tony Arcieri
ee50344262 RUSTSEC-2019-0031: add link to spinning_top 2020-03-13 09:05:42 -07:00
Tony Arcieri
64c17acfe3 Migrate all advisories to V2 format (closes #228) 
As announced in #228, this commit migrates all advisories to the new V2
format, which splits version information into a separate section, and
now has a structure which corresponds to the internal code structure of
the `rustsec` crate.

This is a breaking change for users of `cargo-audit` < 0.9, and anyone
who has written a 3rd party advisory format parser.
 2020-03-01 10:46:35 -08:00
Tony Arcieri
df7657d332 Fix broken/malformatted outbound links 2020-01-27 07:52:31 -08:00
Tony Arcieri
d8e872fd93 Assign RUSTSEC-2020-0004 to lucet-runtime-internals 
Original PR: https://github.com/RustSec/advisory-db/pull/229
 2020-01-27 07:19:15 -08:00
Tony Arcieri
723abd4d2b Merge pull request #229 from jfoote/master 
Add lucet-runtime-internals sigstack allocation vuln advisory
 2020-01-27 07:18:20 -08:00
Tony Arcieri
2b82281e54 Assign RUSTSEC-2020-0003 (informational) to rust_sodium 
Original PR: https://github.com/RustSec/advisory-db/pull/225
 2020-01-27 07:09:23 -08:00
Tony Arcieri
e5eeccda02 Merge branch 'master' into rust_sodium 2020-01-27 06:44:52 -08:00
Jonathan Foote
0271003e2e Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml 
Correct quote characters

Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
 2020-01-24 15:36:06 -05:00
Jonathan Foote
3f1f71de9b Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml 
Correct quote characters

Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
 2020-01-24 15:35:58 -05:00
Jonathan Foote
f8ff9cfc6f Add lucet-runtime-internals sigstack allocation vuln advisory 2020-01-24 15:27:56 -05:00
Stephen Coyle
b300fa84d7 Add unmaintained crate informational advisory: rust_sodium 2020-01-21 12:17:20 +00:00
Tony Arcieri
17e82e13d6 Assign RUSTSEC-2018-0016 to quickersort 
Original PR: https://github.com/RustSec/advisory-db/pull/210
 2020-01-20 07:05:35 -08:00
Tony Arcieri
e78d311ee1 Merge pull request #210 from EmbarkStudios/quickersort 
Add advisory for deprecated/unmaintained quickersort
 2020-01-20 06:37:58 -08:00
Tony Arcieri
e30a06a6b2 RUSTSEC-2016-0005: add note about rust-crypto vs RustCrypto 
The `rust-crypto` crate and RustCrypto org have confusingly similar
names, which has caused confusion about this advisory in practice:

https://www.reddit.com/r/rust/comments/e29sxc/ann_rustcryptoaead_v020_heapless_symmetric_aead/f8ujyxm/

This commit adds a small note to disambiguate them and note that
RustCrypto-the-GitHub-org is still maintained.
 2020-01-19 11:07:44 -08:00
Johan Andersson
8b0725132b Fix typo 
Co-Authored-By: Randy Taylor <tehgecKozzz@gmail.com>
 2020-01-17 22:17:06 +01:00
Tony Arcieri
a5b6099b9d Assign RUSTSEC-2020-0002 to prost 
Original PR: https://github.com/RustSec/advisory-db/pull/222
 2020-01-16 12:52:00 -08:00
Danilo Bargen
7a0d254bbe fixup! Add advisory for prost stack overflow 2020-01-16 20:23:41 +01:00
Danilo Bargen
57f553ee45 Add advisory for prost stack overflow 2020-01-16 20:22:21 +01:00
Roy Wellington Ⅳ
200651cff2 Correct affected version range on RUSTSEC-2019-003[34] to patched at 0.1.20 
I believe these two vulnerabilities were patched at 0.1.20.

For RUSTSEC-2019-0033:

The advisory links to the bug: https://github.com/hyperium/http/issues/352
In that bug, the fixing PR was https://github.com/hyperium/http/pull/360
That PR merged the commit 81ceb61 to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][1]).

[1]: 81ceb611cf

For RUSTSEC-2019-0034:

This advisory is two separate GitHub issues against `HeaderMap::drain`,
http #354 and http #355.

For the first: the issue: https://github.com/hyperium/http/issues/354
In that bug, the fixing PR was https://github.com/hyperium/http/pull/357
That PR merged the commit 82d53db to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][2]).

[2]: 82d53dbdfd

For the second: the issue: https://github.com/hyperium/http/issues/355
In that bug, the fixing PR was https://github.com/hyperium/http/pull/362
That PR merged the commit 8ffe094 to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][3]).

[3]: 8ffe094df1
 2020-01-09 12:20:27 -05:00
Tony Arcieri
526892a193 Assign RUSTSEC-2019-0034 to http 
Original PR: https://github.com/RustSec/advisory-db/pull/218
 2020-01-09 11:24:52 -05:00
Tony Arcieri
52e0b4e186 Merge branch 'master' into http2 2020-01-09 10:49:26 -05:00
Tony Arcieri
0e59ecb72d Assign RUSTSEC-2019-0033 to http 
Original PR: https://github.com/RustSec/advisory-db/pull/217
 2020-01-09 10:37:55 -05:00