rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2026-05-15 16:41:31 -04:00
Code Issues Packages Projects Releases Wiki Activity
2,930 Commits 26 Branches 0 Tags
main
Commit Graph

2930 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
djc
5ac2fcb858 Assigned RUSTSEC-2026-0142 to mutringbuf, RUSTSEC-2026-0143 to oneringbuf 2026-05-14 23:26:19 +02:00
Berkant Koc
36078c55a7 Add advisory for oneringbuf: vmem double-free reachable from safe Rust (#2883) 
* Add advisory for oneringbuf: vmem double-free reachable from safe Rust

The vmem-feature codepath bit-copies UnsafeSyncCell<T> into mmap and
also lets the source Box drop, producing a double-free of every
heap-owning T on later ring-buffer destruction. Reachable from safe Rust
constructors.

* oneringbuf advisory: maintainer-ack received, add mutringbuf parallel advisory

- oneringbuf RUSTSEC: set patched = ">= 0.7.1", add fix reference (PR #3), update Notes section
- mutringbuf RUSTSEC: new parallel advisory for the archived predecessor (same bug, all versions yanked, migrate to oneringbuf >= 0.7.1)

Reopens rustsec/advisory-db#2883 per maintainer acknowledgement on
skilvingr/rust-oneringbuf#3 (2026-05-14).

* advisory(oneringbuf): trim per djc review — drop overly-detailed affected-paths and predecessor-crate sections

Per code review on rustsec/advisory-db#2883:

- Drop "## Affected paths" section: source-file line ranges (4 bullets)
  are too detailed for an advisory body — the upstream fix PR carries
  this information for anyone digging into the implementation.
- Drop "## Related: `mutringbuf` (predecessor crate)" section: the
  parallel mutringbuf advisory stands on its own and the cross-link
  here is redundant.

Body trimmed from 329 to 247 words. No content change to the technical
description, trigger, or fix block.
 2026-05-14 22:59:28 +02:00
Dirkjan Ochtman
04d55cc76a Start a basic pull request template 2026-05-14 12:05:09 +02:00
djc
6c90ae5ee8 Assigned RUSTSEC-2026-0141 to lettre 2026-05-14 11:14:38 +02:00
Paolo Barbolini
d0e589a0c6 Add advisory for lettre for TLS hostname verification disabled in Boring TLS backend 2026-05-14 11:13:17 +02:00
Bennet Bleßmann
7cdb364326 bump rustsec commit in workflows 2026-05-14 08:37:21 +02:00
djc
fa1c324454 Assigned RUSTSEC-2026-0140 to dynoxide-rs 2026-05-13 17:15:09 +02:00
Martin Hicks
fbe632fc00 Add advisory for dynoxide-rs (DNS rebinding / CSRF) (#2852) 2026-05-13 16:56:40 +02:00
djc
56cb4e727f Assigned RUSTSEC-2026-0139 to metacall 2026-05-13 16:54:08 +02:00
Yaokun Zhang - nju
e0cd142ede Add advisory for metacall: null-ptr dereference and double-free via safe APIs 2026-05-13 16:33:22 +02:00
djc
d84377fa6b Assigned RUSTSEC-2026-0134 to diesel, RUSTSEC-2026-0135 to diesel, RUSTSEC-2026-0136 to diesel, RUSTSEC-2026-0137 to diesel, RUSTSEC-2026-0138 to diesel-async 2026-05-13 16:16:31 +02:00
Georg Semmler
d1e5f9ec78 Add more advisories for recvent Diesel related vulnerabilities 
I was asked to fill advisories for these cases as well. I believe the
impact of all of them is rather limited, but better be safe than sorry.
 2026-05-13 16:13:16 +02:00
djc
0717627558 Assigned RUSTSEC-2026-0131 to bitchomp, RUSTSEC-2026-0132 to ssdeep, RUSTSEC-2026-0133 to auto_vec 2026-05-13 14:38:12 +02:00
Yaokun Zhang - nju
72fd077c65 Add advisory for ssdeep: OOB write via public Context fields 2026-05-13 14:37:32 +02:00
Yaokun Zhang - nju
8b64e94c7e Add advisory for auto_vec: invalid pointer arithmetic in iter() 2026-05-13 14:36:31 +02:00
Yaokun Zhang - nju
bf8a779554 Add advisory for bitchomp: double-free in Chomp::inner() 2026-05-13 14:35:35 +02:00
djc
7f94698fd6 Assigned RUSTSEC-2026-0129 to dahl-salso, RUSTSEC-2026-0130 to caja 2026-05-13 14:34:44 +02:00
Yaokun Zhang - nju
a53de22a2f Add advisory for dahl-salso: buffer overflow in Clusterings 2026-05-13 14:34:07 +02:00
Yaokun Zhang - nju
7dcac19bfd Add advisory for caja: OOB read/write in Index/IndexMut 2026-05-13 14:33:19 +02:00
djc
73757ade36 Assigned RUSTSEC-2026-0128 to emap 2026-05-13 14:19:05 +02:00
Yaokun Zhang - nju
c00bf82954 Add advisory for emap: double-free in Keys::next() 2026-05-13 14:16:49 +02:00
djc
88d76dd09d Assigned RUSTSEC-2026-0127 to accessor 2026-05-13 14:16:15 +02:00
Yaokun Zhang - nju
b468a11ea7 Add advisory for accessor: integer overflow in array::ReadWrite::new() 2026-05-13 14:15:00 +02:00
djc
44e00a1d17 Assigned RUSTSEC-2026-0124 to libcrux-chacha20poly1305, RUSTSEC-2026-0125 to libcrux-ml-dsa, RUSTSEC-2026-0126 to libcrux-ml-dsa 2026-05-13 12:05:44 +02:00
Jonas Schneider-Bensch
1d74393843 Add advisory for libcrux-ml-dsa 2026-05-13 11:49:02 +02:00
Jonas Schneider-Bensch
46585e283c Add advisory for libcrux-ml-dsa 2026-05-13 11:49:02 +02:00
Jonas Schneider-Bensch
1f5ab3cb2a Add advisory for libcrux-chacha20poly1305 2026-05-13 11:49:02 +02:00
djc
a57e7b17ae Assigned RUSTSEC-2026-0123 to rustdx 2026-05-12 19:04:47 +02:00
Yaokun Zhang - nju
a2adcae8a1 Add advisory for rustdx: OOB read in bytes_helper safe functions 2026-05-12 18:44:18 +02:00
djc
b5f0acbfdb Synchronize IDs (2026-05-12) 2026-05-12 07:04:00 +02:00
Goat
bf77217c05 Improve the wording of RUSTSEC-2026-0122 2026-05-11 15:59:32 +02:00
djc
40d5a47a35 Assigned RUSTSEC-2026-0122 to rkyv 2026-05-11 11:37:41 +02:00
tooson9010-spec
ba45ea6319 Add advisory for rkyv: panic safety in InlineVec::clear and SerVec::clear (#2815) 
Co-authored-by: tooson <tooson@gooroom.kr>
Co-authored-by: bjorn3 <17426603+bjorn3@users.noreply.github.com>
 2026-05-11 11:36:33 +02:00
djc
881a159d8d Synchronize IDs (2026-05-07) 2026-05-07 10:56:41 +02:00
djc
e87dda2bc1 Assigned RUSTSEC-2026-0121 to steamworks 2026-05-06 15:41:21 +02:00
William Tremblay
b214a245e3 Add advisory for steamworks 2026-05-06 15:38:29 +02:00
djc
7c6b32be74 Synchronize IDs (2026-05-06) 2026-05-06 08:32:50 +02:00
Daniel McCarney
20377f44ed hickory-proto: adjust RUSTSEC-2026-0118 versions 2026-05-01 20:37:50 +02:00
djc
d6ba1f7070 Assigned RUSTSEC-2026-0118 to hickory-proto, RUSTSEC-2026-0119 to hickory-proto, RUSTSEC-2026-0120 to hickory-net 2026-05-01 16:31:54 +02:00
Daniel McCarney
eb426041ad Add multiple advisories against hickory-proto/hickory-net 2026-05-01 16:22:41 +02:00
djc
f5f281575d Assigned RUSTSEC-2026-0115 to imageproc, RUSTSEC-2026-0116 to imageproc, RUSTSEC-2026-0117 to imageproc 2026-05-01 15:54:12 +02:00
A. Molzer
b191e3599e Add multiple advisories against imageproc 2026-05-01 15:47:37 +02:00
djc
99560d3445 Assigned RUSTSEC-2026-0114 to wasmtime 2026-04-30 22:16:36 +02:00
Alex Crichton
22fe8e3160 Add advisory for Wasmtime issue just published 
Adding an advisory here for GHSA-p8xm-42r7-89xg
 2026-04-30 20:52:31 +02:00
djc
a519775875 Assigned RUSTSEC-2026-0112 to astral-tokio-tar, RUSTSEC-2026-0113 to astral-tokio-tar 2026-04-28 15:17:23 +02:00
William Woodruff
3562fa008b Add two astral-tokio-tar advisories (#2827) 2026-04-28 07:39:12 +02:00
xtqqczze
dedaac6a98 Fix crate name in RUSTSEC-2026-0103.md 
Corrected the crate name from 'thin_vec' to 'thin-vec' in the vulnerability report.
 2026-04-27 22:28:03 +02:00
Nikolai
930c3aa232 Fix grammatical error in RUSTSEC-2026-0105.md (#2825) 2026-04-25 11:01:07 -04:00
Daniel Scherzer
a9993361b0 RUSTSEC-2026-0078.md: remove reference link already set as URL 
Otherwise results in the same link rendering twice
 2026-04-25 09:25:22 +02:00
kpcyrd
d674d8e9e6 RUSTSEC-2023-0071: Update tracking issue 2026-04-25 08:40:09 +02:00