OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-30 00:03:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
459 Commits 1 Branch 0 Tags
ce7810963c8a2abf6972cbcd625bba7931eb1921
Commit Graph

205 Commits

Author SHA1 Message Date
Tony Arcieri
64c17acfe3 Migrate all advisories to V2 format (closes #228) 
As announced in #228, this commit migrates all advisories to the new V2
format, which splits version information into a separate section, and
now has a structure which corresponds to the internal code structure of
the `rustsec` crate.

This is a breaking change for users of `cargo-audit` < 0.9, and anyone
who has written a 3rd party advisory format parser.
 2020-03-01 10:46:35 -08:00
Tony Arcieri
df7657d332 Fix broken/malformatted outbound links 2020-01-27 07:52:31 -08:00
Tony Arcieri
d8e872fd93 Assign RUSTSEC-2020-0004 to lucet-runtime-internals 
Original PR: https://github.com/RustSec/advisory-db/pull/229
 2020-01-27 07:19:15 -08:00
Tony Arcieri
723abd4d2b Merge pull request #229 from jfoote/master 
Add lucet-runtime-internals sigstack allocation vuln advisory
 2020-01-27 07:18:20 -08:00
Tony Arcieri
2b82281e54 Assign RUSTSEC-2020-0003 (informational) to rust_sodium 
Original PR: https://github.com/RustSec/advisory-db/pull/225
 2020-01-27 07:09:23 -08:00
Tony Arcieri
e5eeccda02 Merge branch 'master' into rust_sodium 2020-01-27 06:44:52 -08:00
Jonathan Foote
0271003e2e Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml 
Correct quote characters

Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
 2020-01-24 15:36:06 -05:00
Jonathan Foote
3f1f71de9b Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml 
Correct quote characters

Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
 2020-01-24 15:35:58 -05:00
Jonathan Foote
f8ff9cfc6f Add lucet-runtime-internals sigstack allocation vuln advisory 2020-01-24 15:27:56 -05:00
Stephen Coyle
b300fa84d7 Add unmaintained crate informational advisory: rust_sodium 2020-01-21 12:17:20 +00:00
Tony Arcieri
17e82e13d6 Assign RUSTSEC-2018-0016 to quickersort 
Original PR: https://github.com/RustSec/advisory-db/pull/210
 2020-01-20 07:05:35 -08:00
Tony Arcieri
e78d311ee1 Merge pull request #210 from EmbarkStudios/quickersort 
Add advisory for deprecated/unmaintained quickersort
 2020-01-20 06:37:58 -08:00
Tony Arcieri
e30a06a6b2 RUSTSEC-2016-0005: add note about rust-crypto vs RustCrypto 
The `rust-crypto` crate and RustCrypto org have confusingly similar
names, which has caused confusion about this advisory in practice:

https://www.reddit.com/r/rust/comments/e29sxc/ann_rustcryptoaead_v020_heapless_symmetric_aead/f8ujyxm/

This commit adds a small note to disambiguate them and note that
RustCrypto-the-GitHub-org is still maintained.
 2020-01-19 11:07:44 -08:00
Johan Andersson
8b0725132b Fix typo 
Co-Authored-By: Randy Taylor <tehgecKozzz@gmail.com>
 2020-01-17 22:17:06 +01:00
Tony Arcieri
a5b6099b9d Assign RUSTSEC-2020-0002 to prost 
Original PR: https://github.com/RustSec/advisory-db/pull/222
 2020-01-16 12:52:00 -08:00
Danilo Bargen
7a0d254bbe fixup! Add advisory for prost stack overflow 2020-01-16 20:23:41 +01:00
Danilo Bargen
57f553ee45 Add advisory for prost stack overflow 2020-01-16 20:22:21 +01:00
Roy Wellington Ⅳ
200651cff2 Correct affected version range on RUSTSEC-2019-003[34] to patched at 0.1.20 
I believe these two vulnerabilities were patched at 0.1.20.

For RUSTSEC-2019-0033:

The advisory links to the bug: https://github.com/hyperium/http/issues/352
In that bug, the fixing PR was https://github.com/hyperium/http/pull/360
That PR merged the commit 81ceb61 to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][1]).

[1]: 81ceb611cf

For RUSTSEC-2019-0034:

This advisory is two separate GitHub issues against `HeaderMap::drain`,
http #354 and http #355.

For the first: the issue: https://github.com/hyperium/http/issues/354
In that bug, the fixing PR was https://github.com/hyperium/http/pull/357
That PR merged the commit 82d53db to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][2]).

[2]: 82d53dbdfd

For the second: the issue: https://github.com/hyperium/http/issues/355
In that bug, the fixing PR was https://github.com/hyperium/http/pull/362
That PR merged the commit 8ffe094 to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][3]).

[3]: 8ffe094df1
 2020-01-09 12:20:27 -05:00
Tony Arcieri
526892a193 Assign RUSTSEC-2019-0034 to http 
Original PR: https://github.com/RustSec/advisory-db/pull/218
 2020-01-09 11:24:52 -05:00
Tony Arcieri
52e0b4e186 Merge branch 'master' into http2 2020-01-09 10:49:26 -05:00
Tony Arcieri
0e59ecb72d Assign RUSTSEC-2019-0033 to http 
Original PR: https://github.com/RustSec/advisory-db/pull/217
 2020-01-09 10:37:55 -05:00
Yechan Bae
ba2df66b30 hyperium/http/issues/354,355 2020-01-09 00:48:06 -05:00
Yechan Bae
36b8de692c hyperium/http/issues/352 2020-01-09 00:45:59 -05:00
Tony Arcieri
e043405eab Assign RUSTSEC-2020-0001 to trust-dns-server 
Original PR: https://github.com/RustSec/advisory-db/pull/215
 2020-01-07 12:57:20 -05:00
Benjamin Fry
1af3b6eea6 trust-dns-server additions processing overflows stack 2020-01-06 13:12:19 -08:00
Tony Arcieri
694f07e241 RUSTSEC-2019-0031: add conquer-once as an alternative to spin 
https://github.com/oliver-giersch/conquer-once
 2020-01-03 13:32:51 -05:00
Bas van Dijk
158c986aa4 string-interner-0.6.4 also fixes RUSTSEC-2019-0023 
The fix https://github.com/Robbepop/string-interner/pull/10
released in 0.7.1 was also backported to the 0.6 release line in
https://github.com/Robbepop/string-interner/pull/14 and released in 0.6.4.
 2019-12-21 11:43:05 +01:00
Johan Andersson
6da6344b00 Add advisory for deprecated/unmaintained quickersort 
The author of the `quickersort` crate has deprecated it and do not
recommend using it anymore.

Everything in it has been incorporated into std::sort_unstable in the
standard library as of Rust 1.20.
 2019-12-19 00:26:05 +01:00
Tony Arcieri
c2c2e8e1a7 Assign RUSTSEC-2019-0032 to crust 
Original PR: https://github.com/RustSec/advisory-db/pull/204
 2019-12-17 07:32:36 -08:00
Tony Arcieri
91b9e060e2 Assign RUSTSEC-2019-0031 to spin 
Unmaintained per its author:

https://github.com/mvdnes/spin-rs/commit/7516c80
 2019-12-17 06:42:04 -08:00
Sebastian Imlay
366505b01b Added RUSTSEC advisory for crust as an unmaintained. 2019-11-21 16:08:53 -08:00
Tony Arcieri
c762d41313 Assign RUSTSEC-2019-0030 to streebog 
Original PR: https://github.com/RustSec/advisory-db/pull/201
 2019-11-07 08:16:46 -08:00
newpavlov
34eb710de5 fix description 2019-11-06 19:49:57 +03:00
newpavlov
7786157156 add an advisory for streebog bug 2019-11-06 19:47:35 +03:00
brycx
9a3a5743c0 No IETF on XChaCha20 variant 2019-11-04 19:53:43 +01:00
brycx
c8f2bccd72 rust-crypto: Add orion as alternative 2019-11-04 15:49:50 +01:00
Tony Arcieri
ab01fe3e28 Assign RUSTSEC-2019-0029 to chacha20 2019-10-23 10:56:18 -07:00
Tony Arcieri
0f1e1885db chacha20: Add counter overflow advisory 
Upstream issue: https://github.com/RustCrypto/stream-ciphers/pull/64
 2019-10-23 10:37:38 -07:00
Tony Arcieri
d520ed489c Assign RUSTSEC-2019-0028 to flatbuffers 2019-10-23 09:11:16 -07:00
Simonas Kazlauskas
2a867650cb Add a flatbuffers unsound code advisory 2019-10-20 20:30:18 +03:00
Roman Proskuryakov
73c772d878 Update RUSTSEC-2019-0026.toml 2019-10-20 02:04:21 +03:00
Tony Arcieri
783394f059 Assign RUSTSEC-2019-0027 to libsecp256k1 
Original PR: https://github.com/RustSec/advisory-db/pull/194
 2019-10-14 08:47:43 -07:00
Martin Pugh
0af6c80758 Add libsecp256k1 advisory 2019-10-14 15:08:46 +01:00
Tony Arcieri
38a7158626 Assign RUSTSEC-2019-0026 to sodiumoxide 
Original PR: https://github.com/RustSec/advisory-db/pull/192
 2019-10-11 11:43:47 -07:00
Roman Proskuryakov
fd955ac4a2 PartialEq implementation for sodiumoxide::crypto::generichash::Digest has compared itself to itself 2019-10-11 20:38:01 +03:00
Tony Arcieri
cad07fbc25 RUSTSEC-2017-0006: rmpv: add patched versions 
Patched as of v0.4.2:

https://github.com/RustSec/advisory-db/pull/171#issuecomment-540169499
 2019-10-11 09:07:24 -07:00
Tony Arcieri
621d40e195 Assign RUSTSEC-2019-0025 to serde_cbor 
Original PR: https://github.com/RustSec/advisory-db/pull/171/files
 2019-10-11 08:40:48 -07:00
pyfisch
3afc9e6afc Flaw in CBOR deserializer allows stack overflow 2019-10-10 11:43:01 +02:00
Tony Arcieri
14f7fd3faa RUSTSEC-2019-0024: Test advisory for rustsec-example-crate 
This is a test advisory useful for verifying RustSec tooling and
vulnerability detection pipelines are working correctly. Aside from
the fact that it is filed against an example crate, it is otherwise
considered by the Advisory Database itself to be a normal security
advisory.

It's filed against `rustsec-example-crate`, an otherwise completely
empty crate with no functionality or code, which has two releases:

- v0.0.1: *vulnerable* according to this advisory
- v1.0.0: *patched* by this advisory

(Technically there is a third release, v0.0.0, which is yanked, but
otherwise identical to the v0.0.1 release)
 2019-10-08 18:11:30 -07:00
Tony Arcieri
f7581dc887 Assign RUSTSEC-2016-0006 (informational) to cassandra 
Marking as unmaintained per:

https://github.com/RustSec/advisory-db/pull/183
 2019-10-08 11:13:07 -07:00