* Advisory for GHSA-m8rp-vv92-46c7 (incomplete unescaping) in gix-path
* Fix up body Markdown for RUSTSEC
- `<` `>` around a bare URL
- manual linking and rendering of referenced commit hash
- manual linking of a bare CVE number to associated global GHSA
* Add CVE number
* Add reference to GitHub Advisory Database entry
Now that it has been published there as well.
* Add global GHSA reference for RUSTSEC-2024-0367 (config scopes)
This adds a link to the GitHub Advisory Database entry
https://github.com/advisories/GHSA-v26r-4c9c-h3j6 for
RUSTSEC-2024-0367 / CVE-2024-45305 / GHSA-v26r-4c9c-h3j6.
This entry was added to the GitHub Advisory Database since this
RUSTSEC entry was created in #2055 and updated in #2061.
(This also adds a reference to NVD entry, which has a useful
summary and appears as a reference in the global GHSA's reference
section.)
* Linkify bare URLs
The advisory, RUSTSEC-2024-0367, has two bare URLs in it, which
are displayed as links (and, in the repo-level GHSA, also showing
the linked-to lines of code). This surrounds them with `<` and `>`
so that they are rendered as hyperlinks, as they are in the global
GHSA.
(This does not correspond to a revision to the global GHSA because
they are already shown that way there. This change thus brings the
RUSTSEC advisory in line with the others.)
This adds CVE-2024-45305 to `aliases` for RUSTSEC-2024-0367.
No CVE had been issued for that vulnerability when it was added to
the RUSTSEC database in #2055, but it has been assigned since.
* Advisory for GHSA-v26r-4c9c-h3j6 (config scopes) in gix-path
* Fix a commit hash intended to be a link to commit info
This worked on GitHub but should not be expected to be a hyperlink
elsehwere. So this makes the rendered text and target explicit.
* Add CVSS metadata
It is present in GHSA-v26r-4c9c-h3j6, I just accidentally left it
out initially.
* Clarify some wording in the advisory
I have already made this change at GHSA-v26r-4c9c-h3j6.
* Unsoundness notice for gix-attributes (kstring integration)
gix-attributes was found by @ssbr to be unsound, as reported in
https://github.com/Byron/gitoxide/issues/1460. This adds an
informational notice for that, as discussed in comments there.
It looks like the affected code, having been introduced in
https://github.com/Byron/gitoxide/pull/400, was present in all
versions of the crate prior to the fix in 0.22.3 (which was one of
the bugs fixed in https://github.com/Byron/gitoxide/pull/1462).
Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
* Small adjustments for advisory
This makes some minor changes to the advisory description to adapt
the text from https://github.com/Byron/gitoxide/issues/1460 to be
an advisory. For the most part it has remained the same. Changes:
* Express the claim of unsoundness with more confidence, since it
has been reviewed by the maintainer.
* Modify the link to the affected code to point to the latest tag
for gix-attributes that has that code. The original link was to
a branch, so it was broken when the fix was applied.
* Apply inline code formatting in a few more places, where doing
so improves stylistic consistency.
---------
Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
* Add advisory for object_store credentials leak via logs
* remove `informational = notice` which is not a vulnerability
---------
Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
* Advisory for CVE-2024-40644 (program files) in gix-path
* Make the old hard-coded paths clear in the advisory
Since specific elements of it are referenced in the following text.
This way, even if this is read offline or otherwise without the
ability to load the linked code from GitHub, the advisory is clear.
* Add reference to entry in GitHub Advisory Database
* Fix version spec for affected public functions
Since it is only applicable to versions affected by the
vulnerability, which is already just that one version, I think
`*` is actually sufficient.
