rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
2,652 Commits 21 Branches 0 Tags
main
Commit Graph

38 Commits

Author SHA1 Message Date
Alexis Mousset
84c633df9c Update aliases from GHSA OSV export (#1693) 2023-06-13 15:10:24 +02:00
Ralf Jung
b4d8786707 fix hyper patched version number (#1250) 2022-05-20 13:16:20 +02:00
github-actions[bot]
eb8c788bc0 Assigned RUSTSEC-2022-0022 to hyper (#1235) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
 2022-05-10 20:45:40 +02:00
Ralf Jung
6b7b129aef add hyper advisory (#1232) 2022-05-10 20:42:51 +02:00
Alexis Mousset
8c05fea5fa Add cvss information from nvd (#1085) 2021-10-19 16:14:35 -06:00
Alexis Mousset
e9382c8680 Fix typos in advisories (#976) 2021-08-21 19:18:11 -06:00
github-actions[bot]
82ce1aa716 Assigned RUSTSEC-2021-0079 to hyper (#973) 
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
 2021-08-08 12:41:08 -07:00
BlackHoleFox
3a5de9c7b5 Add advisory for hyper Transfer-Encoding header parsing (#968) 2021-08-08 12:39:37 -07:00
github-actions[bot]
255194ae7a Assigned RUSTSEC-2021-0078 to hyper (#972) 
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
 2021-08-08 12:39:12 -07:00
BlackHoleFox
0148dead3a Add advisory for hyper Content-Length header parsing (#967) 2021-08-08 12:36:02 -07:00
Sergey "Shnatsel" Davidoff
86ed56812a Add GHSA mentions to aliases field. This is becoming more important with OSV enabling interop between databases (#937) 2021-06-08 21:07:22 -04:00
Alexis Mousset
b10d085c36 RUSTSEC-2021-0020 is fixed in hyper 0.12.36 too 
See https://github.com/hyperium/hyper/blob/0.12.x/CHANGELOG.md#v01236-2021-02-17

Fix was backported to 0.12.x in https://github.com/hyperium/hyper/pull/2436 and released in 0.12.36.
 2021-03-29 13:59:27 +02:00
Shnatsel
4467b1f895 Assigned RUSTSEC-2021-0020 to hyper 2021-02-05 23:03:32 +00:00
Sean McArthur
c55cf597e8 Add hyper wrong transfer-encoding advisory 2021-02-05 14:57:30 -08:00
Yechan Bae
846dfb93a3 Update CVE numbers (#542) 2021-01-04 09:02:59 -08:00
Tony Arcieri
84f130870b Rename references fields to related (#492) 
This frees up `references` to be used for tracking multiple URLs with
additional information.

See also: RustSec/advisory-db#429
 2020-11-23 07:55:17 -08:00
Tony Arcieri
ac125ee29a Translate database into V3 advisory format (#420) 
As proposed in #240 and tracked in #414, this PR translates all
advisories into the new "V3" advisory format, which is based on Markdown
with leading TOML front matter.

This format makes it easier to see rendered Markdown syntax
descriptions, whether rendered by an IDE or GitHub. This should help
with both crafting advisories initially as well as review, and ideally
encourages more lengthy descriptions.

Support for this format shipped in `cargo-audit` v0.12.0 on
May 6th, 2020.
 2020-10-01 18:29:11 -07:00
Pavlos Poulakis
c22f80eb55 Add unaffected field to RUSTSEC-2020-0008. 2020-04-01 13:28:48 +01:00
Eliza Weisman
9889ed0831 Fix patched version for RUSTSEC-2020-0008 
The vulnerability description for advisory RUSTSEC-2020-0008, "Flaw in
hyper allows request smuggling by sending a body in GET requests", lists
an incorrect patched version. The advisory states that the vulnerability
was fixed in `hyper` 0.12.35, but `hyper`'s changelog [shows][1] that 
the patch (hyperium/hyper@23fc8b0) was published in 0.12.34. I believe
that this means that `cargo audit` will incorrectly report patched 
versions as vulnerable.

This PR corrects the listed version.

[1]: https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v01234-2019-09-04
 2020-03-31 10:41:53 -07:00
Tony Arcieri
6053e3a05f Assign RUSTSEC-2020-0008 to hyper 
Original PR: https://github.com/RustSec/advisory-db/pull/255
 2020-03-31 10:07:02 -07:00
Demi M. Obenour
91eed85346 Note that another vulnerability is needed for RCE 
Also make some trivial changes to pass the linter.
 2020-03-30 18:59:14 -04:00
Demi M. Obenour
0d7868ccb9 Add hyper request smuggling vulnerability 2020-03-19 11:41:39 -04:00
Sergey "Shnatsel" Davidoff
7797133c67 Add CVE mapping 2020-03-18 17:15:13 +01:00
Tony Arcieri
64c17acfe3 Migrate all advisories to V2 format (closes #228) 
As announced in #228, this commit migrates all advisories to the new V2
format, which splits version information into a separate section, and
now has a structure which corresponds to the internal code structure of
the `rustsec` crate.

This is a breaking change for users of `cargo-audit` < 0.9, and anyone
who has written a 3rd party advisory format parser.
 2020-03-01 10:46:35 -08:00
Vinzent Steinberg
2dda7f38b8 Use backticks for escaped characters 2019-10-07 17:05:39 +02:00
Vinzent Steinberg
5233609919 Fix escapes in hyper advisory 
Fixes #159.
 2019-10-07 15:30:55 +02:00
Tony Arcieri
01ac6725d5 Fix all advisories to pass linter 
Mostly related to the `affected_functions` field, which has changed a
few times.
 2019-09-09 12:19:01 -07:00
Tony Arcieri
782efebde9 Revert "Add affected functions to legacy security warnings (#83)" 
This reverts commit 0a981e2b6f.

These now need to use the new `affected_paths` attribute, which has a
different (VersionReq-bucketed) format.
 2019-01-13 17:31:25 -08:00
Moritz Beller
0a981e2b6f Add affected functions to legacy security warnings (#83) 
Add affected functions to advisories

Add `affected_functions` to:

- RUSTSEC-2018-0003
- RUSTSEC-2017-0002
- RUSTSEC-2018-0002
- RUSTSEC-2018-0001
- RUSTSEC-2017-0004
 2018-12-21 06:11:32 -08:00
Tony Arcieri
1296249cfb RUSTSEC-2016-0002.toml: use 'affected_os' attribute 
Replaces the 'affected_platforms' attribute in rustsec v0.9.
 2018-07-26 21:02:15 -07:00
Tony Arcieri
2d9a2632a7 Keywords 
Documents the new `keywords` attribute and adds keywords to all current
advisories. These can be consumed by the web UI.
 2018-07-24 16:02:35 -07:00
Tony Arcieri
2632340526 Affected Platforms 
Documents the use of the `affected_platforms` attribute in advisories,
and adds it to a relevant advisory.
 2018-07-24 15:53:43 -07:00
Tony Arcieri
07219b8d17 Assign RUSTSEC-2016-0002 to hyper 
Original PR:

https://github.com/RustSec/advisory-db/pull/18
 2018-07-24 12:33:49 -07:00
Tony Arcieri
8678a77455 Advisory: hyper HTTPS MitM due to lack of hostname verification 2018-07-24 12:03:59 -07:00
Tony Arcieri
cb81d3ceaa Rename "dwf" TOML tag to "aliases" (closes #36) 
Nobody knows what "dwf" is, and the data isn't presently consumed or
surfaced by the `rustsec` crate, so we (hopefully) can rename it without
breaking anything.
 2018-07-21 19:47:30 -07:00
Tony Arcieri
79fd13ac6f crates: Add 'id' attribute to all advisories 
This is needed to parse them with serde directly from these files (as
opposed to using Advisories.toml)
 2018-07-21 15:22:39 -07:00
Tony Arcieri
e867ef7194 Assign RUSTSEC-2017-0002 to hyper 
Original PR:

https://github.com/RustSec/advisory-db/pull/12
 2017-02-28 09:02:18 -08:00
Sean McArthur
4597f51b45 add advisory for hyper message splitting vulnerability 2017-02-27 15:13:17 -08:00