mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2025-12-30 00:03:57 +01:00
5f68bbad79
* Add advisory for tokio-rs/tokio#4225 If a `tokio::sync::oneshot` channel is closed (via the [`oneshot::Receiver::close`] method), a data race may occur if the `oneshot::Sender::send` method is called while the corresponding `oneshot::Receiver` is `await`ed or calling `try_recv`. When these methods are called concurrently on a closed channel, the two halves of the channel can concurrently access a shared memory location, resulting in a data race. This has been observed to [cause memory corruption][corruption]. Note that the race only occurs when **both** halves of the channel are used after one half has called `close`. Code where `close` is not used, or where the `Receiver` is not `await`ed and `try_recv` is not called after calling `close`, is not affected. See tokio-rs/tokio#4225 for more details. This issue was patched in v1.13.1. The patch was backported to the current LTS version (v1.8.x) in release v1.8.4. * Update crates/tokio/RUSTSEC-0000-0000.md Co-authored-by: Tony Arcieri <bascule@gmail.com> * fix toml lint whoops * Update crates/tokio/RUSTSEC-0000-0000.md * Update crates/tokio/RUSTSEC-0000-0000.md Co-authored-by: Tony Arcieri <bascule@gmail.com>
RustSec Advisory Database
The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.io. A human-readable version of the advisory database can be found at https://rustsec.org/advisories/.
We also export advisory data to the OSV format,
see the osv branch.
The following tools consume this advisory database and can be used for auditing and reporting (send PRs to add yours):
- cargo-audit: Audit
Cargo.lockfiles for crates with security vulnerabilities - cargo-deny: Audit
Cargo.lockfiles for crates with security vulnerabilities, limit the usage of particular dependencies, their licenses, sources to download from, detect multiple versions of same packages in the dependency tree and more.
Reporting Vulnerabilities
To report a new vulnerability, open a pull request using the template below. See CONTRIBUTING.md for more information.
Advisory Format
See EXAMPLE_ADVISORY.md for a template.
Advisories are formatted in Markdown with TOML "front matter". Below is the schema of the "front matter" section of an advisory:
# Before you submit a PR using this template, **please delete the comments**
# explaining each field, as well as any unused fields.
[advisory]
# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN"
# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs.
id = "RUSTSEC-0000-0000"
# Name of the affected crate (mandatory)
package = "mycrate"
# Disclosure date of the advisory as an RFC 3339 date (mandatory)
date = "2021-01-31"
# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
# a change log entry, or a blogpost announcing the release (optional)
url = "https://github.com/mystuff/mycrate/issues/123"
# Optional: Categories this advisory falls under. Valid categories are:
# "code-execution", "crypto-failure", "denial-of-service", "file-disclosure"
# "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation"
categories = ["crypto-failure"]
# Optional: a Common Vulnerability Scoring System score. More information
# can be found on the CVSS website, https://www.first.org/cvss/.
#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
# Freeform keywords which describe this vulnerability, similar to Cargo (optional)
keywords = ["ssl", "mitm"]
# Vulnerability aliases, e.g. CVE IDs (optional but recommended)
# Request a CVE for your RustSec vulns: https://iwantacve.org/
#aliases = ["CVE-2018-XXXX"]
# Related vulnerabilities (optional)
# e.g. CVE for a C library wrapped by a -sys crate)
#related = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]
# Optional: metadata which narrows the scope of what this advisory affects
[affected]
# CPU architectures impacted by this vulnerability (optional).
# Only use this if the vulnerability is specific to a particular CPU architecture,
# e.g. the vulnerability is in x86 assembly.
# For a list of CPU architecture strings, see the "platforms" crate:
# <https://docs.rs/platforms/latest/platforms/target/enum.Arch.html>
#arch = ["x86", "x86_64"]
# Operating systems impacted by this vulnerability (optional)
# Only use this if the vulnerable is specific to a particular OS, e.g. it was
# located in a binding to a Windows-specific API.
# For a list of OS strings, see the "platforms" crate:
# <https://docs.rs/platforms/latest/platforms/target/enum.OS.html>
#os = ["windows"]
# Table of canonical paths to vulnerable functions (optional)
# mapping to which versions impacted by this advisory used that particular
# name (e.g. if the function was renamed between versions).
# The path syntax is `cratename::path::to::function`, without any
# parameters or additional information, followed by a list of version reqs.
functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] }
# Versions which include fixes for this vulnerability (mandatory)
[versions]
patched = [">= 1.2.0"]
# Versions which were never vulnerable (optional)
#unaffected = ["< 1.1.0"]
License
All content in this repository is placed in the public domain.
