OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-29 15:56:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,420 Commits 1 Branch 0 Tags
b4b68c19bce948aa51925b3d742980cee4b10338
Commit Graph

1420 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Youngsuk Kim
b4b68c19bc bite: Read on uninitialized memory (#593) 
* bite: Read on uninitialized memory

* informational = "unsound"
 2021-08-21 19:08:46 -06:00
github-actions[bot]
68d6f5afa9 Assigned RUSTSEC-2021-0082 to vec-const (#985) 
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
 2021-08-21 19:08:23 -06:00
Ben Kimock
01c59cafdb Report vec-const as unsound (#981) 
Co-authored-by: Tony Arcieri <bascule@gmail.com>
 2021-08-21 19:07:03 -06:00
diwic
f20b53ca89 Patched release of reffers (#984) 
I'm not sure anyone uses this old crate but if they do, at least now they have a fixed version.
 2021-08-21 12:38:49 +03:00
Sergey "Shnatsel" Davidoff
e0fda3fe9b add CVE alias to RUSTSEC-2021-0081(actix-http) (#983) 2021-08-17 22:07:01 +03:00
kpcyrd
67da87fc89 Update RUSTSEC-2021-0080 [affected] version (#980) 2021-08-11 00:54:42 +03:00
Remi Rampin
01bad82da9 Add fix for RUSTSEC-2021-0080 (#979) 2021-08-10 19:52:04 +03:00
github-actions[bot]
e692597283 Assigned RUSTSEC-2021-0081 to actix-http (#978) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2021-08-10 12:12:52 +03:00
Rob Ede
7a42cb7e08 add advisory for actix-http HRS (#977) 
* add actix-http HRS

* Update RUSTSEC-0000-0000.md

* Update RUSTSEC-0000-0000.md

* Adjust version ranges to make a hypothetical 4.0.0 patched

* drop nonexistent category

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
 2021-08-10 12:11:38 +03:00
ZSchoen
541c537a23 added specific affected functions to CVE-2021-29922 (#975) 
Co-authored-by: Tony Arcieri <bascule@gmail.com>
 2021-08-09 05:15:56 -07:00
github-actions[bot]
ce76490feb Assigned RUSTSEC-2021-0080 to tar (#974) 
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
 2021-08-08 13:16:32 -07:00
kpcyrd
158cd653ca Add directory traversal for tar (#965) 
Co-authored-by: Tony Arcieri <bascule@gmail.com>
 2021-08-08 12:53:24 -07:00
github-actions[bot]
82ce1aa716 Assigned RUSTSEC-2021-0079 to hyper (#973) 
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
 2021-08-08 12:41:08 -07:00
BlackHoleFox
3a5de9c7b5 Add advisory for hyper Transfer-Encoding header parsing (#968) 2021-08-08 12:39:37 -07:00
github-actions[bot]
255194ae7a Assigned RUSTSEC-2021-0078 to hyper (#972) 
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
 2021-08-08 12:39:12 -07:00
BlackHoleFox
0148dead3a Add advisory for hyper Content-Length header parsing (#967) 2021-08-08 12:36:02 -07:00
ZSchoen
a81783c627 added CVE-2021-29922 (#971) 2021-08-08 12:35:13 -07:00
github-actions[bot]
1db7602857 Assigned RUSTSEC-2021-0077 to better-macro (#969) 
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
 2021-07-26 13:46:07 -07:00
Jeremy Fitzhardinge
8af7718d8f better-macro has deliberate RCE in proc-macro (#966) 
It's "Proving A Point" in
https://github.com/raycar5/better-macro/blob/master/doc/hi.md but there's
no guarantee that this will remain benign (or is actually benign right
now). The crate also has no useful functionality.
 2021-07-26 13:39:47 -07:00
github-actions[bot]
e20838a4ff Assigned RUSTSEC-2021-0076 to libsecp256k1 (#964) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2021-07-13 15:47:59 +03:00
Martin Pugh
e95d360049 Add advisory for libsecp256k1 (#963) 
* add advisory

* fix formatting
 2021-07-13 15:46:23 +03:00
github-actions[bot]
4792a373b1 Assigned RUSTSEC-2021-0075 to ark-r1cs-std (#962) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2021-07-09 06:07:19 +02:00
Pratyush Mishra
674daf6fae ark_r1cs_std::mul_by_inverse generated unsound constraints in versions below 0.3.1 (#961) 
* `ark_r1cs_std::mul_by_inverse` was unsound in versions below `0.3.1`

* Fix category

* Add link to PR
 2021-07-09 06:06:05 +02:00
Sergey "Shnatsel" Davidoff
730c1e815a Revert "Hotfix #957 until we figure out what to do with it (#958)" (#960) 
This reverts commit a9c31a6e25.
 2021-07-08 21:09:27 +02:00
github-actions[bot]
2d60adf54f Assigned RUSTSEC-2021-0074 to ammonia (#959) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2021-07-08 20:48:05 +02:00
Michael Howell
3533e434a6 Add rust-ammonia/ammonia#142 (#956) 
* Add rust-ammonia/ammonia#142

* Update RUSTSEC-0000-0000.md

* Update RUSTSEC-0000-0000.md
 2021-07-08 20:46:50 +02:00
Sergey "Shnatsel" Davidoff
a9c31a6e25 Hotfix #957 until we figure out what to do with it (#958) 2021-07-08 20:34:15 +02:00
github-actions[bot]
7629432184 Assigned RUSTSEC-2021-0073 to prost-types (#955) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2021-07-08 19:27:50 +02:00
Lucio Franco
1889bffd67 prost-types: Timestamp conversion overflow (#954) 2021-07-08 19:25:47 +02:00
Sergey "Shnatsel" Davidoff
cbeaf18e2b Made RUSTSEC-2021-0072 not affect tokio 2.0 and later 2021-07-08 01:26:08 +02:00
github-actions[bot]
01ac699fd5 Assigned RUSTSEC-2021-0072 to tokio (#952) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2021-07-08 01:09:42 +02:00
Alice Ryhl
6f2157cba4 Add advisory for race condition in Tokio (#951) 
* Add RUSTSEC for tokio#3929

* Update version range

* Wrap with code fences

* Add advisory information

* Add unaffected

* Don't use tilde in version specification

it's not yet supported by rustsec v0.24

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
 2021-07-08 01:08:31 +02:00
Yechan Bae
afbc0dc9e1 Update five std CVEs (#946) 2021-07-06 12:36:13 -06:00
Tony Arcieri
23d8630fbe Bump rustsec-admin to v0.5.1 (#949) 2021-07-03 13:02:47 -06:00
Sergey "Shnatsel" Davidoff
34e9832a80 OSV export: fix handling of advisories without an ID (#948) 
* OSV export: fix handling of advisories without an ID

* job will fail without -f flag on rm
 2021-07-02 17:48:46 +02:00
Sergey "Shnatsel" Davidoff
9f3eb562a2 Add OSV export CI job (#947) 2021-07-02 17:22:13 +02:00
Sergey "Shnatsel" Davidoff
d5a60f2737 Fix RUSTSEC-2021-0048 which doesn't declare an operand (#945) 2021-07-02 01:39:03 +02:00
Sergey "Shnatsel" Davidoff
84e3fb3121 Add withdrawn field (#942) 
* Add `withdrawn` field to advisories, recording the yank date

* Synthetic signed commit for testing

* Add `withdrawn` field to lubpulse-binding advisory forgotten on the first pass
 2021-06-30 00:08:30 +02:00
Tony Arcieri
1684325bb6 Bump rustsec-admin to v0.5.0 (#944) 2021-06-30 00:01:00 +02:00
Chojan Shang
220bc71988 Add patched version for flatbuffers RUSTSEC-2020-0009 (#943) 
Signed-off-by: Chojan Shang <psiace@outlook.com>
 2021-06-23 23:24:04 +02:00
David Marshall
cd87335b46 Update RUSTSEC-2021-0049.md (#941) 
https://nvd.nist.gov/vuln/detail/CVE-2021-29940
 2021-06-16 23:05:39 +02:00
github-actions[bot]
0d2022a191 Assigned RUSTSEC-2021-0071 to grep-cli (#940) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2021-06-15 00:43:22 +02:00
Andrew Gallant
ec6dbf077c crates/grep-cli: add advisory for arbitrary binary execution on Windows (#939) 
* crates/grep-cli: add advisory for arbitrary binary execution on Windows

Ref https://github.com/BurntSushi/ripgrep/issues/1773

* drop commented out field

* crates/grep-cli: add more details about mitigation

Instead of dancing around it, we just say it: the main issue is that
std::process::Command will resolve relative binary names with respect to
the CWD first, because it just uses the Windows API for this.

More specifically, we call out the two particular mitigations that are
now in place.

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
 2021-06-15 00:42:25 +02:00
Sergey "Shnatsel" Davidoff
86ed56812a Add GHSA mentions to aliases field. This is becoming more important with OSV enabling interop between databases (#937) 2021-06-08 21:07:22 -04:00
Brad Gibson
958120be0a Update RUSTSEC-2020-0043.md (#934) 
Version of `parity-ws` containing fix now correctly reads `>=0.10.0', not '>0.10.0' (0.10.0 is the latest as of this writing and contains the fix).
 2021-06-07 23:06:52 +02:00
github-actions[bot]
9984f61e56 Assigned RUSTSEC-2021-0070 to nalgebra (#932) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2021-06-06 13:52:19 -04:00
Austin Hartzheim
46e657b29c Add advisory for nalgebra VecStorage/MatrixVec (#931) 2021-06-06 19:42:06 +02:00
Sergey "Shnatsel" Davidoff
40afced5fb Remove range overlaps, fix some range specifications (#930) 
* Drop some clearly redundant bounds

* Fix RUSTSEC-2020-0091 - the version specification was incorrect, marking 1.0.0 as fixed while in reality it was not

* Fix RUSTSEC-2018-0004: presumably any updates to 0.3.x series would also get the fix, it would not be isolated to 0.3.2

* Fix incorrectly defined, overlapping ranges in RUSTSEC-2020-0080 and RUSTSEC-2019-0035
 2021-06-04 23:26:23 +02:00
Sergey "Shnatsel" Davidoff
3e51834f36 Make ranges in trust-dns-proto advisory non-overlapping (#929) 2021-06-04 18:38:56 +02:00
github-actions[bot]
aa04921a0e Assigned RUSTSEC-2021-0069 to lettre (#925) 
Co-authored-by: alex <alex@users.noreply.github.com>
 2021-05-22 14:13:18 -04:00