OCI layer symlink escape → arbitrary host write. Fixed in boxlite 0.9.0
(2026-05-03), published 2026-05-16.
Filed under the post-disclosure crate-author path per CONTRIBUTING.md.
Single entry on the boxlite crate; boxlite-cli inherits via dependency
graph, per @djc's review feedback.
Read-only volume remount bypass via guest CAP_SYS_ADMIN. Fixed in boxlite
0.9.0 (2026-05-03), published 2026-05-16.
Filed under the post-disclosure crate-author path per CONTRIBUTING.md.
Single entry on the boxlite crate; boxlite-cli inherits via dependency
graph, per @djc's review feedback.
* Add advisory for oneringbuf: vmem double-free reachable from safe Rust
The vmem-feature codepath bit-copies UnsafeSyncCell<T> into mmap and
also lets the source Box drop, producing a double-free of every
heap-owning T on later ring-buffer destruction. Reachable from safe Rust
constructors.
* oneringbuf advisory: maintainer-ack received, add mutringbuf parallel advisory
- oneringbuf RUSTSEC: set patched = ">= 0.7.1", add fix reference (PR #3), update Notes section
- mutringbuf RUSTSEC: new parallel advisory for the archived predecessor (same bug, all versions yanked, migrate to oneringbuf >= 0.7.1)
Reopensrustsec/advisory-db#2883 per maintainer acknowledgement on
skilvingr/rust-oneringbuf#3 (2026-05-14).
* advisory(oneringbuf): trim per djc review — drop overly-detailed affected-paths and predecessor-crate sections
Per code review on rustsec/advisory-db#2883:
- Drop "## Affected paths" section: source-file line ranges (4 bullets)
are too detailed for an advisory body — the upstream fix PR carries
this information for anyone digging into the implementation.
- Drop "## Related: `mutringbuf` (predecessor crate)" section: the
parallel mutringbuf advisory stands on its own and the cross-link
here is redundant.
Body trimmed from 329 to 247 words. No content change to the technical
description, trigger, or fix block.