Commit Graph

2966 Commits

Author SHA1 Message Date
Dirkjan Ochtman
cfcb789c37 Mark surf and tide as unmaintained 2026-06-04 13:39:16 +02:00
djc
cf9c07022f Assigned RUSTSEC-2026-0156 to metacall, RUSTSEC-2026-0157 to metacall 2026-06-03 12:42:03 +02:00
Thanasis Trispiotis
5fab8dfc1b add advisories for metacall 2026-06-03 12:40:48 +02:00
djc
98c2ab6d44 Assigned RUSTSEC-2026-0155 to exploration 2026-06-03 10:48:05 +02:00
Adam Harvey
fdc8924393 Add malware advisory for exploration. 2026-06-03 09:37:49 +02:00
djc
501c03f38e Assigned RUSTSEC-2026-0153 to russh-cryptovec, RUSTSEC-2026-0154 to russh 2026-06-02 11:53:13 +02:00
kpcyrd
518060137e Add advisory for russh-cryptovec 2026-06-02 11:41:09 +02:00
kpcyrd
6a05274be9 Add advisory for russh 2026-06-02 11:41:09 +02:00
mrdgo
db8b58a109 Update patched version
After thoroughly inspecting the vulnerability, it is present until 0.7.19, inclusive and only patched in the first 1.0.0 version.
2026-06-01 16:16:58 +02:00
djc
d32d6eea0f Assigned RUSTSEC-2026-0152 to oneringbuf 2026-06-01 15:19:35 +02:00
Thanasis Trispiotis
2141410987 fix: toml format 2026-06-01 15:05:35 +02:00
Thanasis Trispiotis
8af973c984 Add advisory for oneringbuf DroppableRef UAF 2026-06-01 15:05:35 +02:00
Sergey "Shnatsel" Davidoff
eaf48e749b Fix jxl-grid code snippet 2026-05-29 20:55:26 +02:00
djc
af256cd40c Assigned RUSTSEC-2026-0151 to jxl-grid 2026-05-29 18:41:02 +02:00
Sergey "Shnatsel" Davidoff
794f71dd88 Add jxl-grid advisory 2026-05-29 18:33:47 +02:00
Jake Shadle
be6e70abbb Fix url (#2913) 2026-05-27 17:33:53 +02:00
yosinn1-blip
831c50f4a4 docs: fix malicious spelling in contributing guide (#2909)
Signed-off-by: Yoshiki <yosinn1@gmail.com>
2026-05-23 18:31:49 -04:00
djc
130152155e Assigned RUSTSEC-2026-0150 to audiopus_sys 2026-05-22 12:09:18 +02:00
sean
1b5176a9ba Add advisory for audiopus_sys
Closes #2704
2026-05-22 12:03:55 +02:00
djc
48da8ef981 Assigned RUSTSEC-2026-0149 to wasmtime-wasi 2026-05-22 12:02:28 +02:00
Pat Hickey
957d00b465 create rustsec advisory wasmtime-wasi crate: wasmtime project's GHSA-2r75-cxrj-cmph 2026-05-22 11:59:54 +02:00
djc
266f6df58b Assigned RUSTSEC-2025-0162 to vku 2026-05-20 15:32:31 +02:00
sisy2020
7a58cf6fc0 Add advisory for vku VMABuffer::set_data unsoundness (#2849) 2026-05-20 13:46:52 +02:00
djc
597f7afa7c Assigned RUSTSEC-2026-0148 to boxlite 2026-05-20 12:00:58 +02:00
dorianzheng
c6c6bfb38e Add advisory for boxlite (GHSA-f396-4rp4-7v2j / CVE-2026-46703)
OCI layer symlink escape → arbitrary host write. Fixed in boxlite 0.9.0
(2026-05-03), published 2026-05-16.

Filed under the post-disclosure crate-author path per CONTRIBUTING.md.
Single entry on the boxlite crate; boxlite-cli inherits via dependency
graph, per @djc's review feedback.
2026-05-20 11:41:52 +02:00
djc
81844ddbe9 Assigned RUSTSEC-2026-0147 to boxlite 2026-05-20 11:41:31 +02:00
dorianzheng
112fdb0f0d Add advisory for boxlite (GHSA-g6ww-w5j2-r7x3 / CVE-2026-46695)
Read-only volume remount bypass via guest CAP_SYS_ADMIN. Fixed in boxlite
0.9.0 (2026-05-03), published 2026-05-16.

Filed under the post-disclosure crate-author path per CONTRIBUTING.md.
Single entry on the boxlite crate; boxlite-cli inherits via dependency
graph, per @djc's review feedback.
2026-05-20 11:40:03 +02:00
djc
8e671baec1 Synchronize IDs (2026-05-20) 2026-05-20 09:14:04 +02:00
djc
f38202dae9 Synchronize IDs (2026-05-19) 2026-05-19 07:50:44 +02:00
djc
b6ea970d26 Assigned RUSTSEC-2026-0145 to astral-tokio-tar, RUSTSEC-2026-0146 to anchor-lang 2026-05-19 06:53:18 +02:00
Jamie Hill-Daniel
6aed4c2363 Add advisory for anchor-lang InterfaceAccount validation 2026-05-18 22:47:07 +02:00
William Woodruff
e266252331 Add an astral-tokio-tar advisory 2026-05-18 22:46:37 +02:00
djc
c69890bc62 Assigned RUSTSEC-2026-0144 to anchor-lang 2026-05-18 21:28:44 +02:00
Jamie Hill-Daniel
e1e852ff7f Add advisory for anchor-lang Program System validation 2026-05-18 21:25:13 +02:00
Goat
fbe725826a Withdraw RUSTSEC-2026-0132 2026-05-17 22:07:58 +02:00
djc
f2ae5fc8e5 Synchronize IDs (2026-05-16) 2026-05-16 09:08:02 +02:00
djc
5ac2fcb858 Assigned RUSTSEC-2026-0142 to mutringbuf, RUSTSEC-2026-0143 to oneringbuf 2026-05-14 23:26:19 +02:00
Berkant Koc
36078c55a7 Add advisory for oneringbuf: vmem double-free reachable from safe Rust (#2883)
* Add advisory for oneringbuf: vmem double-free reachable from safe Rust

The vmem-feature codepath bit-copies UnsafeSyncCell<T> into mmap and
also lets the source Box drop, producing a double-free of every
heap-owning T on later ring-buffer destruction. Reachable from safe Rust
constructors.

* oneringbuf advisory: maintainer-ack received, add mutringbuf parallel advisory

- oneringbuf RUSTSEC: set patched = ">= 0.7.1", add fix reference (PR #3), update Notes section
- mutringbuf RUSTSEC: new parallel advisory for the archived predecessor (same bug, all versions yanked, migrate to oneringbuf >= 0.7.1)

Reopens rustsec/advisory-db#2883 per maintainer acknowledgement on
skilvingr/rust-oneringbuf#3 (2026-05-14).

* advisory(oneringbuf): trim per djc review — drop overly-detailed affected-paths and predecessor-crate sections

Per code review on rustsec/advisory-db#2883:

- Drop "## Affected paths" section: source-file line ranges (4 bullets)
  are too detailed for an advisory body — the upstream fix PR carries
  this information for anyone digging into the implementation.
- Drop "## Related: `mutringbuf` (predecessor crate)" section: the
  parallel mutringbuf advisory stands on its own and the cross-link
  here is redundant.

Body trimmed from 329 to 247 words. No content change to the technical
description, trigger, or fix block.
2026-05-14 22:59:28 +02:00
Dirkjan Ochtman
04d55cc76a Start a basic pull request template 2026-05-14 12:05:09 +02:00
djc
6c90ae5ee8 Assigned RUSTSEC-2026-0141 to lettre 2026-05-14 11:14:38 +02:00
Paolo Barbolini
d0e589a0c6 Add advisory for lettre for TLS hostname verification disabled in Boring TLS backend 2026-05-14 11:13:17 +02:00
Bennet Bleßmann
7cdb364326 bump rustsec commit in workflows 2026-05-14 08:37:21 +02:00
djc
fa1c324454 Assigned RUSTSEC-2026-0140 to dynoxide-rs 2026-05-13 17:15:09 +02:00
Martin Hicks
fbe632fc00 Add advisory for dynoxide-rs (DNS rebinding / CSRF) (#2852) 2026-05-13 16:56:40 +02:00
djc
56cb4e727f Assigned RUSTSEC-2026-0139 to metacall 2026-05-13 16:54:08 +02:00
Yaokun Zhang - nju
e0cd142ede Add advisory for metacall: null-ptr dereference and double-free via safe APIs 2026-05-13 16:33:22 +02:00
djc
d84377fa6b Assigned RUSTSEC-2026-0134 to diesel, RUSTSEC-2026-0135 to diesel, RUSTSEC-2026-0136 to diesel, RUSTSEC-2026-0137 to diesel, RUSTSEC-2026-0138 to diesel-async 2026-05-13 16:16:31 +02:00
Georg Semmler
d1e5f9ec78 Add more advisories for recvent Diesel related vulnerabilities
I was asked to fill advisories for these cases as well. I believe the
impact of all of them is rather limited, but better be safe than sorry.
2026-05-13 16:13:16 +02:00
djc
0717627558 Assigned RUSTSEC-2026-0131 to bitchomp, RUSTSEC-2026-0132 to ssdeep, RUSTSEC-2026-0133 to auto_vec 2026-05-13 14:38:12 +02:00
Yaokun Zhang - nju
72fd077c65 Add advisory for ssdeep: OOB write via public Context fields 2026-05-13 14:37:32 +02:00