* pingora request smuggling and cache poisoning
Pingora has a request smuggling and cache poisoning vulnerability
affecting versions 0.5.0 and older, as documented here:
https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/
* cleanup comments
* add cvss
* cve id not published yet, no formal cvss
* change to pingora-core
* cve published
* typo
* typo
* h1
* remove cvss again
* drop unused categories field and comments
---------
Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
People should know that totally-safe-transmute is a toy that's
intentionally doing broken things, so that
a) they don't come after me
b) they know not to expect it to get patched
c) they question why someone is pulling toy code into their dependencies
[Wasmtime] recently got a [request] to have our security advisories
published on the RustSec database as well. We've got a few old
advisories on here but we haven't been keeping up-to-date with later
advisories. In lieu of automatic imports from GitHub to RustSec we
figured we'd in the interim manually fill in some fields.
In this PR I'm back-filling security advisories we've had in Wasmtime
into the RustSec database here. The oldest advisory here is 3 years old
and the goal is to have this serve as a template for importing future
advisories that Wasmtime gets. It's not expected for this to cause any
churn or undue warnings but instead is intended to bring RustSec
up-to-date with the advisories we have for this crate.
[Wasmtime]: https://crates.io/crates/wasmtime
[request]: https://github.com/bytecodealliance/wasmtime/issues/10344
Since it was added in #2268, RUSTSEC-2025-0021 (CVE-2025-31130) has
an entry in the GitHub Advisory Database. As planned in #2268, this
adds the link to that global GHSA, as well as to the National
Vulnerability Database entry for the CVE.
