{ "generated_at": "unix:1774454746", "entries": [ { "advisory_id": "RUSTSEC-2026-0037", "package": "quinn-proto", "title": "Denial of service in Quinn endpoints", "date": "2026-03-09", "patched_versions": [ ">= 0.11.14" ], "commit_sha": "2c315aa7f9c2a6c1db87f8f51f40623a427c78fd", "vulnerable_symbols": [ { "file": "quinn-proto/src/congestion/bbr/mod.rs", "function": "quinn_proto::congestion::bbr::Bbr::maybe_enter_or_exit_probe_rtt", "change_type": "Modified" }, { "file": "quinn-proto/src/connection/assembler.rs", "function": "quinn_proto::connection::assembler::State::default", "change_type": "Deleted" }, { "file": "quinn-proto/src/transport_parameters.rs", "function": "quinn_proto::transport_parameters::TransportParameters::read", "change_type": "Modified" } ] }, { "advisory_id": "RUSTSEC-2026-0074", "package": "libcrux-sha3", "title": "Incorrect Output of Incremental Portable SHAKE API", "date": "2026-03-04", "patched_versions": [ ">= 0.0.8 " ], "commit_sha": "6bbe15ec6a24222dade456aa75a382234807c4ff", "vulnerable_symbols": [ { "file": "crates/algorithms/sha3/src/generic_keccak/xof.rs", "function": "sha3::generic_keccak::xof::KeccakXofState::squeeze", "change_type": "Modified" }, { "file": "crates/algorithms/sha3/src/simd/avx2.rs", "function": "sha3::simd::avx2::store_block", "change_type": "Modified" } ] }, { "advisory_id": "RUSTSEC-2026-0073", "package": "libcrux-poly1305", "title": "Panic in Standalone MAC Operations", "date": "2026-03-04", "patched_versions": [ ">= 0.0.5 " ], "commit_sha": "5730a90658437802482a2862748378619241d4b7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0076", "package": "libcrux-ml-dsa", "title": "Panic in Signature Hint Decoding During Verification", "date": "2026-03-04", "patched_versions": [ ">= 0.0.8 " ], "commit_sha": "2d2ad879b287d0c9f3364fa863d105c057805a1b", "vulnerable_symbols": [ { "file": "libcrux-ml-dsa/src/encoding/signature.rs", "function": "libcrux_ml_dsa::encoding::signature::deserialize", "change_type": "Modified" } ] }, { "advisory_id": "RUSTSEC-2026-0077", "package": "libcrux-ml-dsa", "title": "Incorrect Check of Signer Response Norm During Verification", "date": "2026-03-04", "patched_versions": [ ">= 0.0.8 " ], "commit_sha": "0b8c446d8c235086561f74dc3079d930569d9bdd", "vulnerable_symbols": [ { "file": "libcrux-ml-dsa/src/ml_dsa_generic.rs", "function": "libcrux_ml_dsa::ml_dsa_generic::generic::verify_internal", "change_type": "Modified" } ] }, { "advisory_id": "RUSTSEC-2026-0075", "package": "libcrux-ed25519", "title": "All-Zero Key Generation on Catastrophic RNG Failure", "date": "2026-03-04", "patched_versions": [ ">= 0.0.7 " ], "commit_sha": "bda2b492b1d1ab12b5c77271874d53f111af1788", "vulnerable_symbols": [ { "file": "crates/algorithms/ed25519/src/impl_hacl.rs", "function": "ed25519::impl_hacl::generate_key_pair", "change_type": "Modified" } ] }, { "advisory_id": "RUSTSEC-2026-0013", "package": "pyo3", "title": "Type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature targeting Python 3.12 and up", "date": "2026-02-18", "patched_versions": [ ">= 0.28.2" ], "commit_sha": "a7c8f38a0f204806c84c0feb872c430d3f6078db", "vulnerable_symbols": [ { "file": "pyo3-build-config/src/impl_.rs", "function": "pyo3_build_config::impl_::InterpreterConfig::build_script_outputs", "change_type": "Modified" }, { "file": "pyo3-build-config/src/lib.rs", "function": "pyo3_build_config::print_expected_cfgs", "change_type": "Modified" } ] }, { "advisory_id": "RUSTSEC-2026-0012", "package": "keccak", "title": "Unsoundness in opt-in ARMv8 assembly backend for `keccak`", "date": "2026-02-12", "patched_versions": [ ">= 0.1.6" ], "commit_sha": "7ac1920198ebb7d0192e6d2c3581e15b38a6e0e5", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0069", "package": "hpke-rs", "title": "Incorrect Length Encoding on KDF Export", "date": "2026-02-11", "patched_versions": [ ">= 0.6.0" ], "commit_sha": "b54c8bb83906331bdf4f606cafa30cd7fd20b531", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0070", "package": "hpke-rs", "title": "Panic When Opening or Sealing on Export-Only Context", "date": "2026-02-11", "patched_versions": [ ">= 0.6.0" ], "commit_sha": "b54c8bb83906331bdf4f606cafa30cd7fd20b531", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0025", "package": "libcrux-psq", "title": "Panic in `libcrux-psq` on decryption of malformed AES-GCM ciphertext", "date": "2026-02-08", "patched_versions": [ ">= 0.0.7" ], "commit_sha": "f303b6446c19fe9a7c993f61e426023609cd5fac", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0026", "package": "libcrux-ed25519", "title": "Unnecessary clamping of seed reduces seed entropy to 251 bits", "date": "2026-02-05", "patched_versions": [ ">= 0.0.6" ], "commit_sha": "4d6f5d3c2542b6179a6474dec8cfb8b8ddf31a84", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0071", "package": "hpke-rs", "title": "Nonce Reuse in HPKE Context", "date": "2026-02-05", "patched_versions": [ ">= 0.6.0" ], "commit_sha": "3a8254938f43bdc4e0c9c4f987f8071f19779066", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0072", "package": "hpke-rs-rust-crypto", "title": "Missing Check for All-Zero X25519 Shared Secret", "date": "2026-02-04", "patched_versions": [ ">= 0.6.0" ], "commit_sha": "1c247b5c9aeca602ad2971c9bd49817fe2c308e6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0008", "package": "git2", "title": "Potential undefined behavior when dereferencing Buf struct", "date": "2026-02-02", "patched_versions": [ ">=0.20.4" ], "commit_sha": "9e160f15bd056f82143109bb330573381e5de719", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0023", "package": "libcrux-ecdh", "title": "X25519 secret validation did not check buffer length or clamping", "date": "2026-01-26", "patched_versions": [ ">= 0.0.6" ], "commit_sha": "a09022c5811ca7fd1c6d9a239ff294d64ee86734", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0024", "package": "libcrux-psq", "title": "Incorrect X25519 clamping check rejects all secrets on import", "date": "2026-01-26", "patched_versions": [ ">= 0.0.7" ], "commit_sha": "a09022c5811ca7fd1c6d9a239ff294d64ee86734", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0005", "package": "oneshot", "title": "Potential use-after-free in `oneshot` when used asynchronously", "date": "2026-01-25", "patched_versions": [ ">= 0.1.12" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0002", "package": "lru", "title": "`IterMut` violates Stacked Borrows by invalidating internal pointer", "date": "2026-01-07", "patched_versions": [ ">= 0.16.3" ], "commit_sha": "62be24c96137fcf5c6323607ff15ed878b157ee2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2026-0001", "package": "rkyv", "title": "Potential Undefined Behaviors in `Arc`/`Rc` impls of `from_value` on OOM", "date": "2026-01-05", "patched_versions": [ ">= 0.7.46, < 0.8.0", ">= 0.8.13" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0139", "package": "theshit", "title": "theshit vulnerable to unsafe loading of user-owned Python rules when running as root", "date": "2025-12-30", "patched_versions": [ ">= 0.1.1" ], "commit_sha": "8e0b565e7876a83b0e1cfbacb8af39dadfdcc500", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0140", "package": "gix-date", "title": "Non-utf8 String can be created with `TimeBuf::as_str`", "date": "2025-12-29", "patched_versions": [ ">= 0.12.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0143", "package": "capnp", "title": "Unsound APIs of public `constant::Reader` and `StructSchema`", "date": "2025-12-24", "patched_versions": [ ">= 0.24.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0137", "package": "ruint", "title": "Unsoundness of safe `reciprocal_mg10`", "date": "2025-12-22", "patched_versions": [ ">= 1.17.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0133", "package": "libcrux-intrinsics", "title": "Incorrect calculation on aarch64", "date": "2025-12-04", "patched_versions": [ ">= 0.0.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0134", "package": "rustls-pemfile", "title": "rustls-pemfile is unmaintained", "date": "2025-11-28", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0132", "package": "maxminddb", "title": "`Reader::open_mmap` unsoundly marks unsafe memmap operation as safe", "date": "2025-11-28", "patched_versions": [ ">= 0.27.0" ], "commit_sha": "98f0e4fff9678c841ed33f3b8a46322f6163c32a", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0125", "package": "thread-amount", "title": "Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS", "date": "2025-11-22", "patched_versions": [ ">=0.2.2" ], "commit_sha": "28860d4a38286609cb884c13b5b7941edc2390e5", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0119", "package": "number_prefix", "title": "number_prefix crate is unmaintained", "date": "2025-11-17", "patched_versions": [], "commit_sha": "0ea8171492efe2784f7d820e91ced0cb79262923", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0122", "package": "cargo-asm", "title": "cargo-asm crate is unmaintained", "date": "2025-11-17", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0153", "package": "hexchat", "title": "hexchat crate is unsound and unmaintained", "date": "2025-11-17", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0120", "package": "json5", "title": "json5 crate is unmaintained", "date": "2025-11-16", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0114", "package": "tandem_http_client", "title": "tandem_http_client is unmaintained", "date": "2025-11-10", "patched_versions": [], "commit_sha": "4b3fe27190f20602dc3d9dbfcf36f72ca8b2c538", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0116", "package": "tandem_garble_interop", "title": "tandem_garble_interop is unmaintained", "date": "2025-11-10", "patched_versions": [], "commit_sha": "4b3fe27190f20602dc3d9dbfcf36f72ca8b2c538", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0115", "package": "tandem_http_server", "title": "tandem_http_server is unmaintained", "date": "2025-11-10", "patched_versions": [], "commit_sha": "4b3fe27190f20602dc3d9dbfcf36f72ca8b2c538", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0117", "package": "tandem", "title": "tandem is unmaintained", "date": "2025-11-10", "patched_versions": [], "commit_sha": "4b3fe27190f20602dc3d9dbfcf36f72ca8b2c538", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0107", "package": "borrowck_sacrifices", "title": "Uninitialized memory exposure in any_as_u8_slice", "date": "2025-10-21", "patched_versions": [ ">= 0.2.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0109", "package": "binary_vec_io", "title": "Out-of-bounds memory access in binary_read_to_ref and binary_write_from_ref", "date": "2025-10-21", "patched_versions": [], "commit_sha": "e8ee610c217b112100e784c944bbb9caa995c2ae", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0105", "package": "direct_ring_buffer", "title": "Uninitialized memory exposure in create_ring_buffer", "date": "2025-10-21", "patched_versions": [ ">= 0.2.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0106", "package": "orx-pinned-vec", "title": "Undefined behavior in index_of_ptr with empty slices", "date": "2025-10-21", "patched_versions": [ ">= 3.21.0" ], "commit_sha": "4a4007a1aaff25cd417853c76163883a7110e276", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0108", "package": "ncurses", "title": "Uninitialized memory exposure in string reading functions", "date": "2025-10-21", "patched_versions": [], "commit_sha": "cbeb0465070dd7a07413f0465114f8cd43df4ecc", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0091", "package": "unic-utils", "title": "`unic-utils` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0099", "package": "unic-ucd-block", "title": "`unic-ucd-block` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0083", "package": "unic-ucd-bidi", "title": "`unic-ucd-bidi` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0094", "package": "unic-ucd-category", "title": "`unic-ucd-category` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0100", "package": "unic-ucd-ident", "title": "`unic-ucd-ident` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0096", "package": "unic-bidi", "title": "`unic-bidi` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0081", "package": "unic-char-property", "title": "`unic-char-property` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0085", "package": "unic-idna", "title": "`unic-idna` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0084", "package": "unic-emoji", "title": "`unic-emoji` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0104", "package": "unic-ucd-segment", "title": "`unic-ucd-segment` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0082", "package": "unic-normal", "title": "`unic-normal` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0077", "package": "unic-ucd", "title": "`unic-ucd` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0075", "package": "unic-char-range", "title": "`unic-char-range` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0097", "package": "unic-idna-mapping", "title": "`unic-idna-mapping` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0086", "package": "unic-char", "title": "`unic-char` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0088", "package": "unic-idna-punycode", "title": "`unic-idna-punycode` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0101", "package": "unic-ucd-common", "title": "`unic-ucd-common` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0076", "package": "unic-ucd-name", "title": "`unic-ucd-name` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0089", "package": "unic-ucd-name_aliases", "title": "`unic-ucd-name_aliases` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0102", "package": "unic-ucd-age", "title": "`unic-ucd-age` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0080", "package": "unic-common", "title": "`unic-common` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0087", "package": "unic-cli", "title": "`unic-cli` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0095", "package": "unic", "title": "`unic` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0098", "package": "unic-ucd-version", "title": "`unic-ucd-version` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0074", "package": "unic-segment", "title": "`unic-segment` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0079", "package": "unic-ucd-hangul", "title": "`unic-ucd-hangul` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0126", "package": "nftnl", "title": "Heap-buffer-overflow in nftnl::Batch::with_page_size (nftnl-rs)", "date": "2025-10-18", "patched_versions": [ ">= 0.9.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0092", "package": "unic-ucd-case", "title": "`unic-ucd-case` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0103", "package": "unic-ucd-core", "title": "`unic-ucd-core` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0090", "package": "unic-emoji-char", "title": "`unic-emoji-char` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0093", "package": "unic-char-basics", "title": "`unic-char-basics` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0142", "package": "mnl", "title": "Segmentation fault and invalid memory read in `mnl::cb_run`", "date": "2025-10-18", "patched_versions": [ ">= 0.3.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0078", "package": "unic-ucd-normal", "title": "`unic-ucd-normal` is unmaintained", "date": "2025-10-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0069", "package": "daemonize", "title": "`daemonize` is Unmaintained", "date": "2025-09-14", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0067", "package": "libyml", "title": "`libyml::string::yaml_string_extend` is unsound and unmaintained", "date": "2025-09-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0068", "package": "serde_yml", "title": "serde_yml crate is unsound and unmaintained", "date": "2025-09-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0061", "package": "iron", "title": "iron crate is unmaintained", "date": "2025-09-08", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0059", "package": "servo-fontconfig", "title": "servo-fontconfig crate is unmaintained", "date": "2025-09-08", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0060", "package": "crypto-hash", "title": "crypto-hash crate is unmaintained", "date": "2025-09-08", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0058", "package": "custom_derive", "title": "custom_derive crate is unmaintained", "date": "2025-09-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0057", "package": "fxhash", "title": "fxhash - no longer maintained", "date": "2025-09-05", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0049", "package": "scratchpad", "title": "User-defined implementations of the safe trait scratchpad::Tracking can cause heap buffer overflows", "date": "2025-08-14", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0050", "package": "id-map", "title": "IdMap::from_iter may lead to uninitialized memory being freed on drop", "date": "2025-08-14", "patched_versions": [ ">= 0.2.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0054", "package": "array-queue", "title": "ArrayQueue::push_front is not panic-safe", "date": "2025-08-14", "patched_versions": [ ">=0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0053", "package": "arenavec", "title": "Multiple memory corruption vulnerabilities in safe APIs", "date": "2025-08-14", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0047", "package": "slab", "title": "Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check", "date": "2025-08-12", "patched_versions": [ ">= 0.4.11" ], "commit_sha": "2d65c514bc964b192bab212ddf3c1fcea4ae96b8", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0051", "package": "xcb", "title": "`xcb::Connection::connect_to_fd*` functions violate I/O safety", "date": "2025-08-05", "patched_versions": [ ">= 1.6.0" ], "commit_sha": "da830976870c1174e3b33eb0643177be3991c002", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0048", "package": "tsify-next", "title": "tsify-next is unmaintained, use tsify instead", "date": "2025-07-29", "patched_versions": [], "commit_sha": "0b377ed27073b0be76c67a88dc9b3934122559c1", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0045", "package": "static_cell", "title": "ConstStaticCell could have been used to pass non-Send values to another thread", "date": "2025-07-17", "patched_versions": [ ">= 2.1.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0042", "package": "static-alloc", "title": "Uninitialized read after allocating MemBump", "date": "2025-07-11", "patched_versions": [ ">= 0.2.6" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0044", "package": "slice-ring-buffer", "title": "Four unique double-free vulnerabilities triggered via safe APIs", "date": "2025-06-16", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0138", "package": "deno", "title": "--allow-read / --allow-write permission bypass in `node:sqlite`", "date": "2025-06-03", "patched_versions": [ ">= 2.2.5" ], "commit_sha": "31a97803995bd94629528ba841b2418d3ca01860", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0062", "package": "toodee", "title": "Heap Buffer Overflow in the DrainCol Destructor", "date": "2025-05-22", "patched_versions": [ ">= 0.6.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0036", "package": "surf", "title": "surf is unmaintained", "date": "2025-05-17", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0027", "package": "mp3-metadata", "title": "Panic in mp3-metadata due to the lack of bounds checking", "date": "2025-04-28", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0035", "package": "macroquad", "title": "Multiple soundness issues in `macroquad`", "date": "2025-04-23", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0024", "package": "crossbeam-channel", "title": "crossbeam-channel: double free on Drop", "date": "2025-04-08", "patched_versions": [ ">= 0.5.15" ], "commit_sha": "596df785c0e6f00b1775bba1b5506d998fb94b63", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0023", "package": "tokio", "title": "Broadcast channel calls clone in parallel, but does not require `Sync`", "date": "2025-04-07", "patched_versions": [ ">= 1.38.2, < 1.39.0", ">= 1.42.1, < 1.43.0", ">= 1.43.1, < 1.44.0", ">= 1.44.2" ], "commit_sha": "aa303bc2051f7c21b48bb7bfcafe8fd4f39afd21", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0022", "package": "openssl", "title": "Use-After-Free in `Md::fetch` and `Cipher::fetch`", "date": "2025-04-04", "patched_versions": [ ">= 0.10.72" ], "commit_sha": "87085bd67896b7f92e6de35d081f607a334beae4", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0020", "package": "pyo3", "title": "Risk of buffer overflow in `PyString::from_object`", "date": "2025-04-01", "patched_versions": [ ">= 0.24.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0019", "package": "array-init-cursor", "title": "`array-init-cursor` in version 0.2.0 and below is unsound when used with types that implement `Drop`", "date": "2025-03-27", "patched_versions": [ ">= 0.2.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0033", "package": "scanner", "title": "Public API without sufficient bounds checking", "date": "2025-03-27", "patched_versions": [], "commit_sha": "20e260a42a8279aac5bccdcaa56daefc20d852d3", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0018", "package": "xmas-elf", "title": "Potential out-of-bounds read with a malformed ELF file and the HashTable API.", "date": "2025-03-26", "patched_versions": [ ">=0.10" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0017", "package": "trust-dns-proto", "title": "The `trust-dns` project has been rebranded to `hickory-dns`", "date": "2025-03-23", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0016", "package": "pared", "title": "Use after free in `Parc` and `Prc` due to missing lifetime constraints", "date": "2025-03-13", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0014", "package": "humantime", "title": "humantime is unmaintained", "date": "2025-03-08", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0012", "package": "backoff", "title": "`backoff` is unmaintained.", "date": "2025-03-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0008", "package": "openh264-sys2", "title": "Openh264 Decoding Functions Heap Overflow Vulnerability", "date": "2025-02-24", "patched_versions": [ ">=0.8.0" ], "commit_sha": "63db555e30986e3a5f07871368dc90ae78c27449", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0015", "package": "web-push", "title": "Denial of Service via malicious Web Push endpoint", "date": "2025-02-16", "patched_versions": [ ">= 0.10.3" ], "commit_sha": "8447ed86bf3f24629abd7022b94104bf3cd64453", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0004", "package": "openssl", "title": "ssl::select_next_proto use after free", "date": "2025-02-02", "patched_versions": [ ">= 0.10.70" ], "commit_sha": "f014afb230de4d77bc79dea60e7e58c2f47b60f2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0040", "package": "users", "title": "`root` appended to group listings", "date": "2025-01-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0003", "package": "fast-float", "title": "Segmentation fault due to lack of bound check", "date": "2025-01-13", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0002", "package": "fast-float2", "title": "Segmentation fault due to lack of bound check", "date": "2025-01-13", "patched_versions": [ ">=0.2.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2025-0026", "package": "registry", "title": "registry is unmaintained", "date": "2025-01-13", "patched_versions": [], "commit_sha": "41dc296c786e5943d3238535e45e1df60b258050", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0430", "package": "magic-crypt", "title": "Use of insecure cryptographic algorithms", "date": "2024-12-28", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0431", "package": "xous", "title": "Unsound usages of `core::slice::from_raw_parts`", "date": "2024-12-23", "patched_versions": [ ">= 0.9.51" ], "commit_sha": "3e051fa39e456e3981996e5cbe88f51b8bd68d76", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0424", "package": "libafl", "title": "Unsound usages of `core::slice::from_raw_parts_mut`", "date": "2024-12-19", "patched_versions": [ ">= 0.11.2" ], "commit_sha": "f70a16a09a8096d3c50159dd8a912a75c2af157c", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0435", "package": "fyrox-core", "title": "Unsound usages of `Vec::from_raw_parts`", "date": "2024-12-19", "patched_versions": [ ">= 0.36" ], "commit_sha": "474e3b01a884366cdb7d704f7456ef692e992232", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0426", "package": "spl-token-swap", "title": "Unsound usages of `u8` type casting", "date": "2024-12-19", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0437", "package": "protobuf", "title": "Crash due to uncontrolled recursion in protobuf crate", "date": "2024-12-12", "patched_versions": [ ">= 3.7.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0423", "package": "gtk-layer-shell-sys", "title": "gtk-layer-shell-sys GTK3 bindings - no longer maintained", "date": "2024-12-09", "patched_versions": [], "commit_sha": "094c356273f209e04bf481fb404dc17990ae76e0", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0422", "package": "gtk-layer-shell", "title": "gtk-layer-shell GTK3 bindings - no longer maintained", "date": "2024-12-09", "patched_versions": [], "commit_sha": "094c356273f209e04bf481fb404dc17990ae76e0", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0428", "package": "kvm-ioctls", "title": "Undefined behaviour in `kvm_ioctls::ioctls::vm::VmFd::create_device`", "date": "2024-12-05", "patched_versions": [ ">= 0.19.1" ], "commit_sha": "ade910b953771f59c1c7d0622087ac44b49bf13c", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0409", "package": "pyo3", "title": "Build corruption when using `PYO3_CONFIG_FILE` environment variable", "date": "2024-12-04", "patched_versions": [ ">= 0.23.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0408", "package": "pprof", "title": "Unsound usages of `std::slice::from_raw_parts`", "date": "2024-12-04", "patched_versions": [ ">= 0.14.0" ], "commit_sha": "b1d02fda496d836d755b7d9fb85831aca5c64be2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0400", "package": "ruzstd", "title": "`ruzstd` uninit and out-of-bounds memory reads", "date": "2024-11-28", "patched_versions": [ ">= 0.7.3" ], "commit_sha": "db68f68c1a83cdb33e12a66a23b5adec240db6bf", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0399", "package": "rustls", "title": "rustls network-reachable panic in `Acceptor::accept`", "date": "2024-11-22", "patched_versions": [ ">= 0.23.18" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0445", "package": "cap-primitives", "title": "cap-primitives doesn't fully sandbox all the Windows device filenames", "date": "2024-11-05", "patched_versions": [ ">= 3.4.1" ], "commit_sha": "dcc3818039761331fbeacbb3a40c542b65b5ebf7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0379", "package": "fast-float", "title": "Multiple soundness issues", "date": "2024-10-31", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0378", "package": "pyo3", "title": "Risk of use-after-free in `borrowed` reads from Python weak references", "date": "2024-10-12", "patched_versions": [ ">= 0.22.4" ], "commit_sha": "10cd042e03a2c6e83ff67c91b9bcb6395e200d48", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0402", "package": "hashbrown", "title": "Borsh serialization of HashMap is non-canonical", "date": "2024-10-11", "patched_versions": [ ">= 0.15.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0377", "package": "dbn", "title": "Heap Buffer overflow using c_chars_to_str function", "date": "2024-10-07", "patched_versions": [ "> 0.22.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0375", "package": "atty", "title": "`atty` is unmaintained", "date": "2024-09-25", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0374", "package": "ouch", "title": "Segmentation fault due to use of uninitialized memory", "date": "2024-09-22", "patched_versions": [ ">0.3.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0427", "package": "get-size-derive", "title": "get-size-derive is unmaintained", "date": "2024-09-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0425", "package": "get-size", "title": "get-size is unmaintained", "date": "2024-09-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0404", "package": "anstream", "title": "Unsoundness in anstream", "date": "2024-09-08", "patched_versions": [ ">= 0.6.8" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0443", "package": "webp", "title": "webp crate may expose memory contents when encoding an image", "date": "2024-09-06", "patched_versions": [ ">= 0.3.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0372", "package": "ic-cdk", "title": "Memory leak when calling a canister method via `ic_cdk::call`", "date": "2024-09-05", "patched_versions": [ "^0.8.2", "^0.9.3", "^0.10.1", "^0.11.6", "^0.12.2", "^0.13.5", "^0.14.1", "^0.15.1", ">= 0.16.0" ], "commit_sha": "bd17d57a7b8ca59665fea5fad6143ca02724d03b", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0386", "package": "strason", "title": "strason is unmaintained", "date": "2024-09-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0383", "package": "bcc", "title": "bcc is unmaintained", "date": "2024-09-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0384", "package": "instant", "title": "`instant` is unmaintained", "date": "2024-09-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0385", "package": "cw0", "title": "`cw0` is unmaintained", "date": "2024-08-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0365", "package": "diesel", "title": "Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts", "date": "2024-08-23", "patched_versions": [ ">= 2.2.3" ], "commit_sha": "9eccd7d6d705ac53618bfd478152e32ec3b4536c", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0364", "package": "gitoxide-core", "title": "gitoxide-core does not neutralize special characters for terminals", "date": "2024-08-22", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0363", "package": "sqlx", "title": "Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts", "date": "2024-08-15", "patched_versions": [ ">= 0.8.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0390", "package": "minitrace", "title": "minitrace is Unmaintained", "date": "2024-08-14", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0444", "package": "boa_engine", "title": "Uncaught exception when transitioning the state of `AsyncGenerator` objects from within a property getter of `then`", "date": "2024-08-14", "patched_versions": [ ">= 0.19" ], "commit_sha": "69ea2f52ed976934bff588d6b566bae01be313f7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0362", "package": "alloy-json-abi", "title": "Stack overflow when parsing specially crafted JSON ABI strings", "date": "2024-07-30", "patched_versions": [ ">= 0.7.7" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0360", "package": "xmp_toolkit", "title": "`XmpFile::close` can trigger UB", "date": "2024-07-26", "patched_versions": [ ">= 1.9.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0359", "package": "gix-attributes", "title": "The kstring integration in gix-attributes is unsound", "date": "2024-07-24", "patched_versions": [ ">= 0.22.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0358", "package": "object_store", "title": "Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files", "date": "2024-07-23", "patched_versions": [ ">= 0.10.2" ], "commit_sha": "4978e32654235f569062f2cad6c7361e410f1254", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0357", "package": "openssl", "title": "`MemBio::get_buf` has undefined behavior with empty buffers", "date": "2024-07-21", "patched_versions": [ ">= 0.10.66" ], "commit_sha": "aef36e0f3950653148d6644309ee41ccf16e02bb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0392", "package": "cggmp21-keygen", "title": "Ambiguous challenge derivation", "date": "2024-07-18", "patched_versions": [ ">= 0.3.0" ], "commit_sha": "9b458cd57238146e471b89d577e5b35995b20e51", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0391", "package": "paillier-zk", "title": "Ambiguous challenge derivation", "date": "2024-07-18", "patched_versions": [ ">= 0.4.0" ], "commit_sha": "06e2159e2756fa6048be90d549e9a6938ef7a26e", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0393", "package": "cggmp21", "title": "Ambiguous challenge derivation", "date": "2024-07-18", "patched_versions": [ ">= 0.4.0" ], "commit_sha": "9b458cd57238146e471b89d577e5b35995b20e51", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0403", "package": "js-sandbox", "title": "op_panic in the base runtime can force a panic in the runtime's containing thread", "date": "2024-07-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0405", "package": "rustyscript", "title": "op_panic in the base runtime can force a panic in the runtime's containing thread", "date": "2024-07-18", "patched_versions": [ ">= 0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0442", "package": "wasmtime-jit-debug", "title": "Dump Undefined Memory by `JitDumpFile`", "date": "2024-07-06", "patched_versions": [ ">= 24.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0387", "package": "opentelemetry_api", "title": "`opentelemetry_api` has been merged into the `opentelemetry` crate", "date": "2024-07-03", "patched_versions": [], "commit_sha": "42e58fc356aea17811391e7127a07acd1d6720db", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0389", "package": "openslide", "title": "`openslide` is unmaintained", "date": "2024-07-03", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0388", "package": "derivative", "title": "`derivative` is unmaintained; consider using an alternative", "date": "2024-06-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0395", "package": "chrono-english", "title": "The maintainer of chrono-english is unresponsive", "date": "2024-06-24", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0344", "package": "curve25519-dalek", "title": "Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`", "date": "2024-06-18", "patched_versions": [ ">= 4.1.3" ], "commit_sha": "415892acf1cdf9161bd6a4c99bc2f4cb8fae5e6a", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0406", "package": "ic-stable-structures", "title": "BTreeMap memory leak when deallocating nodes with overflows", "date": "2024-05-17", "patched_versions": [ ">= 0.6.4" ], "commit_sha": "4f6b8ae521884833498bae26369c353c10f28ea7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0337", "package": "zip_next", "title": "The crate `zip_next` has been renamed to `zip`.", "date": "2024-04-20", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0334", "package": "libp2p-tokio-socks5", "title": "`libp2p-tokio-socks5` is unmaintained", "date": "2024-04-05", "patched_versions": [], "commit_sha": "e1fdc92ca69ffd254824ab80fbad5660f4aac911", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0331", "package": "puccinier", "title": "Puccinier is unmainted.", "date": "2024-03-31", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0429", "package": "glib", "title": "Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`", "date": "2024-03-30", "patched_versions": [ ">=0.20.0" ], "commit_sha": "05dff0ee696f9bcd8617cd48c4b812d046d440cb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0320", "package": "yaml-rust", "title": "yaml-rust is unmaintained.", "date": "2024-03-20", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0407", "package": "linkme", "title": "Fails to ensure slice elements match the slice's declared type", "date": "2024-03-05", "patched_versions": [ ">= 0.3.24" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0021", "package": "eyre", "title": "Parts of Report are dropped as the wrong type during downcast", "date": "2024-03-05", "patched_versions": [ ">= 0.6.12" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0417", "package": "gdkx11", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0418", "package": "gdk-sys", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0412", "package": "gdk", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0415", "package": "gtk", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0420", "package": "gtk-sys", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0410", "package": "gdkwayland", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0413", "package": "atk", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0419", "package": "gtk3-macros", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0414", "package": "gdkx11-sys", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0411", "package": "gdkwayland-sys", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0416", "package": "atk-sys", "title": "gtk-rs GTK3 bindings - no longer maintained", "date": "2024-03-04", "patched_versions": [], "commit_sha": "508a69b63a3c5bf73790e0e59101a955847f30d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0020", "package": "whoami", "title": "Stack buffer overflow with whoami on several Unix platforms", "date": "2024-02-28", "patched_versions": [ ">= 1.5.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0018", "package": "crayon", "title": "ObjectPool creates uninitialized memory when freeing objects", "date": "2024-02-27", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0014", "package": "generational-arena", "title": "`generational-arena` is unmaintained", "date": "2024-02-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0013", "package": "libgit2-sys", "title": "Memory corruption, denial of service, and arbitrary code execution in libgit2", "date": "2024-02-06", "patched_versions": [ ">= 0.16.2" ], "commit_sha": "9e57876be78924c1e5f3f268bb599e3981fe58bb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0010", "package": "svix", "title": "Improper comparison of different-length signatures", "date": "2024-02-06", "patched_versions": [ ">= 1.17.0" ], "commit_sha": "958821bd3b956d1436af65f70a0964d4ffb7daf6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0396", "package": "conrod_core", "title": "`conrod_core` is unmaintained", "date": "2024-01-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0015", "package": "filesystem", "title": "filesystem-rs may be implicitly unmaintained", "date": "2024-01-25", "patched_versions": [], "commit_sha": "895c59a81f85009fca8a5e9e8e727d4642f3adbc", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0004", "package": "cosmwasm", "title": "`cosmwasm` is unmaintained", "date": "2024-01-20", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0007", "package": "rust-i18n-support", "title": "Use-after-free when setting the locale", "date": "2024-01-19", "patched_versions": [ ">= 3.0.1" ], "commit_sha": "22e0609591a2c08930f52a0e6bc860f02a0e88c0", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0001", "package": "ferris-says", "title": "Unsound use of str::from_utf8_unchecked on bytes which are not UTF-8", "date": "2024-01-13", "patched_versions": [ ">= 0.3.1" ], "commit_sha": "bb661f29e0d88968c495a4ea4dc63ff0e2c2c11a", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2024-0005", "package": "threadalone", "title": "Unsound sending of non-Send types across threads", "date": "2024-01-07", "patched_versions": [ ">= 0.2.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0075", "package": "unsafe-libyaml", "title": "Unaligned write of u64 on 32-bit and 16-bit platforms", "date": "2023-12-20", "patched_versions": [ ">= 0.2.10" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0080", "package": "transpose", "title": "Buffer overflow due to integer overflow in `transpose`", "date": "2023-12-18", "patched_versions": [ ">= 0.2.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0074", "package": "zerocopy", "title": "Some Ref methods are unsound with some type parameters", "date": "2023-12-14", "patched_versions": [ ">= 0.2.9, < 0.3.0", ">= 0.3.2, < 0.4.0", ">= 0.4.1, < 0.5.0", ">= 0.5.2, < 0.6.0", ">= 0.6.6, < 0.7.0", ">= 0.7.31" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0073", "package": "candid", "title": "Infinite decoding loop through specially crafted payload", "date": "2023-12-08", "patched_versions": [ ">= 0.9.10" ], "commit_sha": "b233dbc2d2bcc79c9fc574dd5968269df680b073", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0079", "package": "pqc_kyber", "title": "KyberSlash: division timings depending on secrets", "date": "2023-12-01", "patched_versions": [], "commit_sha": "b5c6ad13f4eece80e59c6ebeafd787ba1519f5f6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0072", "package": "openssl", "title": "`openssl` `X509StoreRef::objects` is unsound", "date": "2023-11-23", "patched_versions": [ ">= 0.10.60" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0071", "package": "rsa", "title": "Marvin Attack: potential key recovery through timing sidechannels", "date": "2023-11-22", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0076", "package": "cpython", "title": "`cpython` is unmaintained", "date": "2023-11-14", "patched_versions": [], "commit_sha": "e815555629e557be084813045ca1ddebc2f76ef9", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0088", "package": "loopdev", "title": "`loopdev` crate is unmaintained; use 'loopdev-3` instead.", "date": "2023-11-13", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0070", "package": "self_cell", "title": "Insufficient covariance check makes self_cell unsound", "date": "2023-11-10", "patched_versions": [ ">= 0.10.3, < 1.0.0", ">= 1.0.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0077", "package": "rosenpass", "title": "Remotely exploitable DoS condition in Rosenpass <=0.2.0", "date": "2023-11-04", "patched_versions": [ ">= 0.2.1" ], "commit_sha": "93439858d1c44294a7b377f775c4fc897a370bb2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0094", "package": "martin-mbtiles", "title": "`martin-mbtiles` has been renamed to `mbtiles`", "date": "2023-10-30", "patched_versions": [], "commit_sha": "8a8814e7cc97d44f4d194586b3e9deb904c99488", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0078", "package": "tracing", "title": "Potential stack use-after-free in `Instrumented::into_inner`", "date": "2023-10-19", "patched_versions": [ ">= 0.1.40" ], "commit_sha": "82a22ee4cc4aeca2c3c1537e4115521c4a7c3c31", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0068", "package": "cocoon", "title": "Sequential calls of encryption API (`encrypt`, `wrap`, and `dump`) result in nonce reuse", "date": "2023-10-15", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0087", "package": "simd-json-derive", "title": "`MaybeUninit` misuse in `simd-json-derive`", "date": "2023-10-14", "patched_versions": [ ">= 0.12.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0067", "package": "fehler", "title": "`fehler` is unmaintained; use `culpa` instead", "date": "2023-10-12", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0065", "package": "tungstenite", "title": "Tungstenite allows remote attackers to cause a denial of service", "date": "2023-09-25", "patched_versions": [ ">= 0.20.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0064", "package": "gix-transport", "title": "gix-transport code execution vulnerability", "date": "2023-09-23", "patched_versions": [ ">= 0.36.1" ], "commit_sha": "c53bbd265005c7eedc316205b217e137e2b9896e", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0063", "package": "quinn-proto", "title": "Denial of service in Quinn servers", "date": "2023-09-21", "patched_versions": [ "^0.9.5", ">= 0.10.5" ], "commit_sha": "f81c2fafa7381a826c76506126b217c584082177", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0085", "package": "hpack", "title": "HPACK decoder panics on invalid input", "date": "2023-09-15", "patched_versions": [], "commit_sha": "d669282924a95311599e9e7dd53869ee96b3a2f5", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0084", "package": "hpack", "title": "`hpack` is unmaintained", "date": "2023-09-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0062", "package": "bcder", "title": "BER/CER/DER decoder panics on invalid input", "date": "2023-09-13", "patched_versions": [ ">= 0.7.3" ], "commit_sha": "4da91c3fd853e3d466d8581cf1d82b7f3255de56", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0059", "package": "users", "title": "Unaligned read of `*const *const c_char` pointer", "date": "2023-09-10", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0057", "package": "inventory", "title": "Fails to prohibit standard library access prior to initialization of Rust standard library runtime", "date": "2023-09-10", "patched_versions": [ ">= 0.2.0" ], "commit_sha": "b499293ff75e4f65e8cdcb50280a9247d8df814a", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0058", "package": "inventory", "title": "Exposes reference to non-Sync data to an arbitrary thread", "date": "2023-09-10", "patched_versions": [ ">= 0.2.0" ], "commit_sha": "762b5ce107a9f0d80121e614cad2d33c89c88584", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0055", "package": "lexical", "title": "Multiple soundness issues", "date": "2023-09-03", "patched_versions": [ ">= 7.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0086", "package": "lexical-core", "title": "Multiple soundness issues", "date": "2023-09-03", "patched_versions": [ ">= 1.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0056", "package": "vm-memory", "title": "Default functions in VolatileMemory trait lack bounds checks, potentially leading to out-of-bounds memory accesses", "date": "2023-09-01", "patched_versions": [ ">= 0.12.2" ], "commit_sha": "aff1dd4a5259f7deba56692840f7a2d9ca34c9c8", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0049", "package": "tui", "title": "`tui` is unmaintained; use `ratatui` instead", "date": "2023-08-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0095", "package": "odoh-rs", "title": "Invalid Slice Split Results in Server Panic", "date": "2023-08-03", "patched_versions": [ ">= 1.0.2" ], "commit_sha": "c1bc4ed71dcc9842b7dc1ea26f278f105074bbaa", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0051", "package": "dlopen_derive", "title": "`dlopen_derive` is unmaintained", "date": "2023-07-30", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0048", "package": "intaglio", "title": "Unsoundness in `intern` methods on `intaglio` symbol interners", "date": "2023-07-26", "patched_versions": [ ">= 1.9.0" ], "commit_sha": "e2820d278a0a583a74c8fd5d662ab0a0b1892af7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0089", "package": "atomic-polyfill", "title": "atomic-polyfill is unmaintained", "date": "2023-07-11", "patched_versions": [], "commit_sha": "48e55c166684f37af0b00fbee5a0809b1a2bae8e", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0047", "package": "lmdb-rs", "title": "impl `FromMdbValue` for bool is unsound", "date": "2023-06-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0045", "package": "memoffset", "title": "memoffset allows reading uninitialized memory", "date": "2023-06-21", "patched_versions": [ ">= 0.6.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0044", "package": "openssl", "title": "`openssl` `X509VerifyParamRef::set_host` buffer over-read", "date": "2023-06-20", "patched_versions": [ ">= 0.10.55" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0046", "package": "cyfs-base", "title": "Misaligned pointer dereference in `ChunkId::new`", "date": "2023-06-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0042", "package": "ouroboros", "title": "Ouroboros is Unsound", "date": "2023-06-11", "patched_versions": [ ">=0.16.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0040", "package": "users", "title": "`users` crate is unmaintained", "date": "2023-06-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0041", "package": "trust-dns-server", "title": "Remote Attackers can cause Denial-of-Service (packet loops) with crafted DNS packets", "date": "2023-06-01", "patched_versions": [ "^0.22.1", ">=0.23.0-alpha.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0037", "package": "xsalsa20poly1305", "title": "crate has been renamed to `crypto_secretbox`", "date": "2023-05-16", "patched_versions": [], "commit_sha": "277e3301eec9e02bf5c7fa4980d9894949c0dfcf", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0034", "package": "h2", "title": "Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)", "date": "2023-04-14", "patched_versions": [ ">= 0.3.17" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0033", "package": "borsh", "title": "Parsing borsh messages with ZST which are not-copy/clone is unsound", "date": "2023-04-12", "patched_versions": [ ">= 1.0.0-alpha.1", "^0.10.4" ], "commit_sha": "5cb85e4f718e945a61a7255573e46fd18828e0d0", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0036", "package": "tree_magic", "title": "tree_magic is Unmaintained", "date": "2023-04-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0031", "package": "spin", "title": "Initialisation failure in `Once::try_call_once` can lead to undefined behaviour for other initialisers", "date": "2023-03-31", "patched_versions": [ ">= 0.9.8" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0023", "package": "openssl", "title": "`openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read", "date": "2023-03-24", "patched_versions": [ ">= 0.10.48" ], "commit_sha": "5efceaabd69c540b487f6372be4982cf94884008", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0024", "package": "openssl", "title": "`openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference", "date": "2023-03-24", "patched_versions": [ ">= 0.10.48" ], "commit_sha": "5efceaabd69c540b487f6372be4982cf94884008", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0022", "package": "openssl", "title": "`openssl` `X509NameBuilder::build` returned object is not thread safe", "date": "2023-03-24", "patched_versions": [ ">= 0.10.48" ], "commit_sha": "5efceaabd69c540b487f6372be4982cf94884008", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0030", "package": "versionize", "title": "`Versionize::deserialize` implementation for `FamStructWrapper` is lacking bound checks, potentially leading to out of bounds memory accesses", "date": "2023-03-24", "patched_versions": [ ">= 0.1.10" ], "commit_sha": "3385d797c5e5f547562d8d83fb49de69f917e1f2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0027", "package": "async-nats", "title": "TLS certificate common name validation bypass", "date": "2023-03-24", "patched_versions": [ ">= 0.29.0" ], "commit_sha": "817a7b942c462fa9d9938dcb62124173634132fb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0032", "package": "ntru", "title": "Unsound FFI: Wrong API usage causes write past allocated area", "date": "2023-03-22", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0021", "package": "stb_image", "title": "NULL pointer dereference in `stb_image`", "date": "2023-03-19", "patched_versions": [ ">= 0.2.5" ], "commit_sha": "caf178c21f7e8b3268703f3cadc6b7e57a6275a5", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0025", "package": "git-hash", "title": "Gitoxide has renamed its crates.", "date": "2023-03-14", "patched_versions": [], "commit_sha": "c9275b99ea43949306d93775d9d78c98fb86cfb1", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0026", "package": "git-path", "title": "Gitoxide has renamed its crates.", "date": "2023-03-14", "patched_versions": [], "commit_sha": "c9275b99ea43949306d93775d9d78c98fb86cfb1", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0017", "package": "maligned", "title": "`maligned::align_first` causes incorrect deallocation", "date": "2023-03-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0015", "package": "ascii", "title": "Ascii allows out-of-bounds array indexing in safe code", "date": "2023-02-25", "patched_versions": [ ">= 0.9.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0018", "package": "remove_dir_all", "title": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "date": "2023-02-24", "patched_versions": [ ">= 0.8.0" ], "commit_sha": "7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0016", "package": "partial_sort", "title": "Possible out-of-bounds read in release mode", "date": "2023-02-20", "patched_versions": [ ">= 0.2.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0043", "package": "ftp", "title": "ftp is unmaintained, use suppaftp instead", "date": "2023-02-20", "patched_versions": [], "commit_sha": "32259e8bf17cef75949857a958b4fe7a9c2af297", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0019", "package": "kuchiki", "title": "`kuchiki` is unmaintained", "date": "2023-01-21", "patched_versions": [], "commit_sha": "f92e4c047fdc30619555da282ac7ccce1d313aa6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0002", "package": "git2", "title": "git2 Rust package suppresses ssh host key checking", "date": "2023-01-12", "patched_versions": [ ">= 0.16.0" ], "commit_sha": "bce15556ef8fd7fb4f9c5122e78febbdb5b7f1ca", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0005", "package": "tokio", "title": "`tokio::io::ReadHalf::unsplit` is Unsound", "date": "2023-01-11", "patched_versions": [ ">= 1.18.5, < 1.19.0", ">= 1.20.4, < 1.21.0", ">= 1.24.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0004", "package": "bzip2", "title": "bzip2 Denial of Service (DoS)", "date": "2023-01-09", "patched_versions": [ ">= 0.4.4" ], "commit_sha": "90c9c182cd5a5ebc75810aebd89b347a7bdf590b", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2023-0001", "package": "tokio", "title": "reject_remote_clients Configuration corruption", "date": "2023-01-04", "patched_versions": [ ">= 1.18.4, < 1.19.0", ">= 1.20.3, < 1.21.0", ">= 1.23.1" ], "commit_sha": "9241c3eddf4a6a218681b088d71f7191513e2376", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0072", "package": "hyper-staticfile", "title": "Location header incorporates user input, allowing open redirect", "date": "2022-12-23", "patched_versions": [ "^0.9.4", ">= 0.10.0-alpha.5" ], "commit_sha": "f12cadc6666c6f555d29725f5bc45da2103f24ea", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0073", "package": "alloc-cortex-m", "title": "crate has been renamed to `embedded-alloc`", "date": "2022-12-21", "patched_versions": [], "commit_sha": "89cb8d50e6634130302cd444b3f547aed0fd32dc", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0077", "package": "claim", "title": "`claim` is Unmaintained", "date": "2022-12-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0074", "package": "prettytable-rs", "title": "Force cast a &Vec to &[T]", "date": "2022-12-02", "patched_versions": [ ">= 0.10.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0070", "package": "secp256k1", "title": "Unsound API in `secp256k1` allows use-after-free and invalid deallocation from safe code", "date": "2022-11-30", "patched_versions": [ ">= 0.22.2, < 0.23.0", ">= 0.23.5, < 0.24.0", ">= 0.24.2" ], "commit_sha": "29c13638dc679db708fa466376650cb0bf758eff", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0069", "package": "hyper-staticfile", "title": "Improper validation of Windows paths could lead to directory traversal attack", "date": "2022-11-30", "patched_versions": [ "^0.9.2", ">= 0.10.0-alpha.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0080", "package": "parity-util-mem", "title": "parity-util-mem Unmaintained", "date": "2022-11-30", "patched_versions": [], "commit_sha": "806ca48a95c06014e0fde74a1382dc128da62206", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0094", "package": "mimalloc", "title": "Mimalloc Can Allocate Memory with Bad Alignment", "date": "2022-11-23", "patched_versions": [ ">= 0.1.39" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0075", "package": "wasmtime", "title": "Bug in pooling instance allocator", "date": "2022-11-10", "patched_versions": [ ">= 1.0.2, < 2.0.0", ">= 2.0.2" ], "commit_sha": "2614f2e9d2d36805ead8a8da0fa0c6e0d9e428a0", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0076", "package": "wasmtime", "title": "Bug in Wasmtime implementation of pooling instance allocator", "date": "2022-11-10", "patched_versions": [ ">= 1.0.2, < 2.0.0", ">= 2.0.2" ], "commit_sha": "e60c3742904ccbb3e26da201c9221c38a4981d72", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0079", "package": "elf_rs", "title": "ELF header parsing library doesn't check for valid offset", "date": "2022-10-31", "patched_versions": [ ">= 0.3.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0083", "package": "evm", "title": "evm incorrect state transition", "date": "2022-10-25", "patched_versions": [ ">= 0.36.0" ], "commit_sha": "6534c1dd8ad77b53d05032f80e8a5f2de4d37fd2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0062", "package": "matrix-sdk", "title": "matrix-sdk 0.6.0 logs access tokens", "date": "2022-10-24", "patched_versions": [ ">= 0.6.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0067", "package": "lzf", "title": "Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`", "date": "2022-10-22", "patched_versions": [ ">= 0.3.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0087", "package": "slack-morphism", "title": "Slack Webhooks secrets leak in debug logs", "date": "2022-10-10", "patched_versions": [ ">= 1.3.2" ], "commit_sha": "65ef9fac4f39c4e171e2952a6cf029bb0d059a89", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0061", "package": "parity-wasm", "title": "Crate `parity-wasm` deprecated by the author", "date": "2022-10-01", "patched_versions": [], "commit_sha": "b760a74d4b533adb01c52fb5a91d59ab87587097", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0085", "package": "matrix-sdk-crypto", "title": "matrix-sdk Impersonation of room keys", "date": "2022-09-29", "patched_versions": [ ">= 0.6.0" ], "commit_sha": "093fb5d0aa21c0b5eaea6ec96b477f1075271cbb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0091", "package": "tauri", "title": "`tauri` filesystem scope partial bypass", "date": "2022-09-19", "patched_versions": [ ">= 1.0.7, < 1.1.0", ">= 1.1.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0055", "package": "axum-core", "title": "No default limit put on request bodies", "date": "2022-08-31", "patched_versions": [ ">= 0.2.8, < 0.3.0-rc.1", ">= 0.3.0-rc.2" ], "commit_sha": "759e9887473b2c6fee3cb5650b286a0a72215150", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0057", "package": "badge", "title": "badge is Unmaintained", "date": "2022-08-31", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0052", "package": "os_socketaddr", "title": "`os_socketaddr` invalidly assumes the memory layout of std::net::SocketAddr", "date": "2022-08-26", "patched_versions": [ ">= 0.2.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0051", "package": "lz4-sys", "title": "Memory corruption in liblz4", "date": "2022-08-25", "patched_versions": [ ">= 1.9.4" ], "commit_sha": "7a966c1511816b53ac93aa2f2a2ff97e036a4a60", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0053", "package": "mapr", "title": "mapr is Unmaintained", "date": "2022-08-24", "patched_versions": [], "commit_sha": "f42031da81d0fd00d6f40030a64d53408012b971", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0049", "package": "iana-time-zone", "title": "Use after free in MacOS / iOS implementation", "date": "2022-08-15", "patched_versions": [ ">= 0.1.45" ], "commit_sha": "46ac3438179013e20d6da0706b421eb402cce48e", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0088", "package": "tauri", "title": "`tauri`'s `readDir` endpoint allows possible enumeration outside of filesystem scope", "date": "2022-08-07", "patched_versions": [ ">= 1.0.6" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0050", "package": "interledger-packet", "title": "Interledger is Unmaintained", "date": "2022-08-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0086", "package": "slack-morphism", "title": "Slack OAuth Secrets leak in debug logs", "date": "2022-07-22", "patched_versions": [ ">= 0.41.0" ], "commit_sha": "4923fb7d458ed28c0302244c54cb4df0acee7ee6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0034", "package": "pkcs11", "title": "Safety issues in `pkcs11`", "date": "2022-07-22", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0037", "package": "async-graphql", "title": "Denial of service on deeply nested fragment requests", "date": "2022-07-21", "patched_versions": [ ">= 4.0.6" ], "commit_sha": "521769b80039fc8043d1c9883e3d6e5b57359072", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0056", "package": "clipboard", "title": "clipboard is Unmaintained", "date": "2022-06-25", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0029", "package": "crossbeam", "title": "`MsQueue` `push`/`pop` use the wrong orderings", "date": "2022-06-07", "patched_versions": [ ">= 0.3.0" ], "commit_sha": "bf1fb5627d67582a53ef712e8cb07fb9ebf878fa", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0028", "package": "neon", "title": "Use after free in Neon external buffers", "date": "2022-05-22", "patched_versions": [ ">= 0.10.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0046", "package": "rocksdb", "title": "Out-of-bounds read when opening multiple column families with TTL", "date": "2022-05-11", "patched_versions": [ ">= 0.19.0" ], "commit_sha": "701d46198b847fdd8e2429c1cdea17cca665574b", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0024", "package": "double-checked-cell", "title": "double-checked-cell is unmaintained", "date": "2022-05-11", "patched_versions": [], "commit_sha": "9cf94d75316ef441033ce4c80def7c1a8c7643fe", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0054", "package": "wee_alloc", "title": "wee_alloc is Unmaintained", "date": "2022-05-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0023", "package": "static_type_map", "title": "`static_type_map` has been renamed to `erased_set`", "date": "2022-05-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0019", "package": "crossbeam-channel", "title": "Channel creates zero value of any type", "date": "2022-05-10", "patched_versions": [ ">= 0.4.3" ], "commit_sha": "8903df8970454be368b00b867c668e53773df0eb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0021", "package": "crossbeam-queue", "title": "`SegQueue` creates zero value of any type", "date": "2022-05-10", "patched_versions": [ ">= 0.2.3" ], "commit_sha": "8903df8970454be368b00b867c668e53773df0eb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0020", "package": "crossbeam", "title": "`SegQueue` creates zero value of any type", "date": "2022-05-10", "patched_versions": [ ">= 0.7.0" ], "commit_sha": "8903df8970454be368b00b867c668e53773df0eb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0022", "package": "hyper", "title": "Parser creates invalid uninitialized value", "date": "2022-05-10", "patched_versions": [ ">= 0.14.12" ], "commit_sha": "95a978344c29351e2e381af0a91772093e01e255", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0071", "package": "rusoto_credential", "title": "Rusoto is unmaintained", "date": "2022-04-24", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0092", "package": "rmp-serde", "title": "`rmp-serde` `Raw` and `RawRef` unsound", "date": "2022-04-13", "patched_versions": [ ">= 1.1.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0015", "package": "pty", "title": "pty is unmaintained", "date": "2022-03-22", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0012", "package": "arrow2", "title": "Arrow2 allows double free in `safe` code", "date": "2022-03-04", "patched_versions": [ ">= 0.7.1, < 0.8", ">= 0.8.2, < 0.9", ">= 0.9.2, < 0.10", ">= 0.10.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0041", "package": "crossbeam-utils", "title": "Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64", "date": "2022-02-05", "patched_versions": [ ">= 0.8.7" ], "commit_sha": "924436cc71b5d7245631a0cf4f02ff536630a1fd", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0081", "package": "json", "title": "json is unmaintained", "date": "2022-02-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0040", "package": "owning_ref", "title": "Multiple soundness issues in `owning_ref`", "date": "2022-01-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0048", "package": "xml-rs", "title": "xml-rs is Unmaintained", "date": "2022-01-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0007", "package": "qcell", "title": "A malicious coder can get unsound access to TCell or TLCell memory", "date": "2022-01-24", "patched_versions": [ ">= 0.4.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0006", "package": "thread_local", "title": "Data race in `Iter` and `IterMut`", "date": "2022-01-23", "patched_versions": [ ">= 1.1.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0005", "package": "ftd2xx-embedded-hal", "title": "crate has been renamed to `ftdi-embedded-hal`", "date": "2022-01-22", "patched_versions": [], "commit_sha": "6a0ee4534f084fbfbb30ac06d14c21dde1f9d1f3", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0043", "package": "tower-http", "title": "Improper validation of Windows paths could lead to directory traversal attack", "date": "2022-01-21", "patched_versions": [ ">= 0.2.1", ">= 0.1.3, < 0.2.0" ], "commit_sha": "ec394e7e082ed315ab515eddddc4f958361939ef", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0003", "package": "ammonia", "title": "Space bug in `clean_text`", "date": "2022-01-19", "patched_versions": [ ">= 3.1.3" ], "commit_sha": "b2b4346a2f16f34bc3d5c6e4f202e3471464fee2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0044", "package": "markdown", "title": "`markdown` (1.0.0 and higher) is maintained", "date": "2022-01-17", "patched_versions": [ ">= 1.0.0-alpha.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0039", "package": "odbc", "title": "project abandoned", "date": "2022-01-17", "patched_versions": [], "commit_sha": "f9e5f77fac0a6328f9759e6e0f9e10c16509aebb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0036", "package": "r2d2_odbc", "title": "project abandoned", "date": "2022-01-17", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0082", "package": "warp", "title": "Improper validation of Windows paths could lead to directory traversal attack", "date": "2022-01-14", "patched_versions": [ ">= 0.3.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0002", "package": "dashmap", "title": "Unsoundness in `dashmap` references", "date": "2022-01-10", "patched_versions": [ ">= 5.1.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2022-0008", "package": "windows", "title": "Delegate functions are missing `Send` bound", "date": "2022-01-02", "patched_versions": [ ">= 0.32.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0134", "package": "rental", "title": "rental is unmaintained, author has moved on", "date": "2021-12-27", "patched_versions": [], "commit_sha": "213671ab3aab3452efd7e2290c6bb714ee327014", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0141", "package": "dotenv", "title": "dotenv is Unmaintained", "date": "2021-12-24", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0142", "package": "dotenv_codegen", "title": "dotenv is Unmaintained", "date": "2021-12-24", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0130", "package": "lru", "title": "Use after free in lru crate", "date": "2021-12-21", "patched_versions": [ ">= 0.7.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0131", "package": "brotli-sys", "title": "Integer overflow in the bundled Brotli C library", "date": "2021-12-20", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0128", "package": "rusqlite", "title": "Incorrect Lifetime Bounds on Closures in `rusqlite`", "date": "2021-12-07", "patched_versions": [ ">= 0.26.2", "0.25.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0153", "package": "encoding", "title": "`encoding` is unmaintained", "date": "2021-12-05", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0126", "package": "rust-embed", "title": "RustEmbed generated `get` method allows for directory traversal when reading files from disk", "date": "2021-11-29", "patched_versions": [ ">= 6.3.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0124", "package": "tokio", "title": "Data race when sending and receiving after closing a `oneshot` channel", "date": "2021-11-16", "patched_versions": [ ">= 1.8.4, < 1.9.0", ">= 1.13.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0123", "package": "fruity", "title": "Converting `NSString` to a String Truncates at Null Bytes", "date": "2021-11-14", "patched_versions": [ ">= 0.3.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0125", "package": "simple_asn1", "title": "Panic on incorrect date input to `simple_asn1`", "date": "2021-11-14", "patched_versions": [ ">=0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0122", "package": "flatbuffers", "title": "Generated code can read and write out of bounds in safe code", "date": "2021-10-31", "patched_versions": [ ">= 22.9.29" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0137", "package": "sodiumoxide", "title": "sodiumoxide is deprecated", "date": "2021-10-22", "patched_versions": [], "commit_sha": "5bb1dfd2578539b89ffb0cbea25f21f00cfb963e", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0120", "package": "abomonation", "title": "abomonation transmutes &T to and from &[u8] without sufficient constraints", "date": "2021-10-17", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0138", "package": "mz-avro", "title": "Incorrect use of `set_len` allows for un-initialized memory", "date": "2021-10-14", "patched_versions": [ ">= 0.7.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0121", "package": "crypto2", "title": "Non-aligned u32 read in Chacha20 encryption and decryption", "date": "2021-10-08", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0144", "package": "traitobject", "title": "traitobject is Unmaintained", "date": "2021-10-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0119", "package": "nix", "title": "Out-of-bounds write in nix::unistd::getgrouplist", "date": "2021-09-27", "patched_versions": [ "^0.20.2", "^0.21.2", "^0.22.2", ">= 0.23.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0115", "package": "zeroize_derive", "title": "`#[zeroize(drop)]` doesn't implement `Drop` for `enum`s", "date": "2021-09-24", "patched_versions": [ ">= 1.1.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0114", "package": "nanorand", "title": "Aliased mutable references from `tls_rand` & `TlsWyRand`", "date": "2021-09-23", "patched_versions": [ ">= 0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0111", "package": "tremor-script", "title": "Memory Safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`", "date": "2021-09-16", "patched_versions": [ ">= 0.11.6" ], "commit_sha": "ec22294e1fab94bf344d85b7664d224e4790ddec", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0116", "package": "arrow", "title": "`BinaryArray` does not perform bound checks on reading values and offsets", "date": "2021-09-14", "patched_versions": [ ">= 6.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0117", "package": "arrow", "title": "`DecimalArray` does not perform bound checks on accessing values and offsets", "date": "2021-09-14", "patched_versions": [ ">= 6.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0118", "package": "arrow", "title": "`FixedSizeBinaryArray` does not perform bound checks on accessing values and offsets", "date": "2021-09-14", "patched_versions": [ ">= 6.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0154", "package": "fuser", "title": "Uninitalized memory read & leak caused by fuser crate", "date": "2021-09-10", "patched_versions": [ ">= 0.16.0" ], "commit_sha": "47113e10ea4ab4be5b562cdc0d8cc8d41ce50311", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0100", "package": "sha2", "title": "Miscomputed results when using AVX2 backend", "date": "2021-09-08", "patched_versions": [ ">= 0.9.8" ], "commit_sha": "93d895de72c2cb3ac7bc106f03e33715f8f304c2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0147", "package": "daemonize", "title": "`daemonize` is Unmaintained", "date": "2021-09-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0099", "package": "cosmos_sdk", "title": "Crate has been renamed to `cosmrs`", "date": "2021-08-25", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0139", "package": "ansi_term", "title": "ansi_term is Unmaintained", "date": "2021-08-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0096", "package": "spirv_headers", "title": "spirv_headers is unmaintained, use spirv instead", "date": "2021-08-16", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0082", "package": "vec-const", "title": "vec-const attempts to construct a Vec from a pointer to a const slice", "date": "2021-08-14", "patched_versions": [ ">= 2.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0080", "package": "tar", "title": "Links in archive can create arbitrary directories", "date": "2021-07-19", "patched_versions": [ ">= 0.4.36" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0076", "package": "libsecp256k1", "title": "libsecp256k1 allows overflowing signatures", "date": "2021-07-13", "patched_versions": [ ">= 0.5.0" ], "commit_sha": "b525d5d318d9672a40250c1725fa1bb3156688b7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0073", "package": "prost-types", "title": "Conversion from `prost_types::Timestamp` to `SystemTime` can cause an overflow and panic", "date": "2021-07-08", "patched_versions": [ ">= 0.8.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0075", "package": "ark-r1cs-std", "title": "Flaw in `FieldVar::mul_by_inverse` allows unsound R1CS constraint systems", "date": "2021-07-08", "patched_versions": [ ">= 0.3.1" ], "commit_sha": "47ddbaa411afe7c499311a248a38135e5a192b67", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0074", "package": "ammonia", "title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS", "date": "2021-07-08", "patched_versions": [ ">= 3.1.0", ">= 2.1.3, < 3.0.0" ], "commit_sha": "bcdf2d862675a37f4cace6c5258bb09aac0b9f85", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0072", "package": "tokio", "title": "Task dropped in wrong thread when aborting `LocalSet` task", "date": "2021-07-07", "patched_versions": [ ">= 1.5.1, < 1.6.0", ">= 1.6.3, < 1.7.0", ">= 1.7.2, < 1.8.0", ">= 1.8.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0145", "package": "atty", "title": "Potential unaligned read", "date": "2021-07-04", "patched_versions": [], "commit_sha": "4a91c27fe236ee06b4c6106f7d3ef03fe58832dc", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0071", "package": "grep-cli", "title": "`grep-cli` may run arbitrary executables on Windows", "date": "2021-06-12", "patched_versions": [ ">= 0.1.6" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0070", "package": "nalgebra", "title": "VecStorage Deserialize Allows Violation of Length Invariant", "date": "2021-06-06", "patched_versions": [ ">= 0.27.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0095", "package": "mopa", "title": "`mopa` is technically unsound", "date": "2021-06-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0069", "package": "lettre", "title": "SMTP command injection in body", "date": "2021-05-22", "patched_versions": [ ">= 0.10.0-rc.3", "< 0.10.0-alpha.1, >= 0.9.6" ], "commit_sha": "b0e2fc9bcac466d49fca8d25a6c6252811a29c6c", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0146", "package": "twoway", "title": "Crate `twoway` deprecated by the author", "date": "2021-05-20", "patched_versions": [], "commit_sha": "e99b3c718df1117ad7f54c33f6540c8f46cc17dd", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0068", "package": "iced-x86", "title": "Soundness issue in `iced-x86` versions <= 1.10.3", "date": "2021-05-19", "patched_versions": [ "> 1.10.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0065", "package": "anymap", "title": "anymap is unmaintained.", "date": "2021-05-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0064", "package": "cpuid-bool", "title": "`cpuid-bool` has been renamed to `cpufeatures`", "date": "2021-05-06", "patched_versions": [], "commit_sha": "b2d97b23e721f509fa6004175f3ffdf40d9e7402", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0060", "package": "aes-soft", "title": "`aes-soft` has been merged into the `aes` crate", "date": "2021-04-29", "patched_versions": [], "commit_sha": "cd5a34f0533b0acf310a29c0cbbd55e94c9741d8", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0059", "package": "aesni", "title": "`aesni` has been merged into the `aes` crate", "date": "2021-04-29", "patched_versions": [], "commit_sha": "cd5a34f0533b0acf310a29c0cbbd55e94c9741d8", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0061", "package": "aes-ctr", "title": "`aes-ctr` has been merged into the `aes` crate", "date": "2021-04-29", "patched_versions": [], "commit_sha": "cd5a34f0533b0acf310a29c0cbbd55e94c9741d8", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0054", "package": "rkyv", "title": "Archives may contain uninitialized memory", "date": "2021-04-28", "patched_versions": [ ">= 0.6.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0113", "package": "metrics-util", "title": "AtomicBucket unconditionally implements Send/Sync", "date": "2021-04-07", "patched_versions": [ ">= 0.7.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0136", "package": "sass-rs", "title": "`sass-rs` has been deprecated", "date": "2021-04-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0041", "package": "parse_duration", "title": "Denial of service through parsing payloads with too big exponent", "date": "2021-03-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0053", "package": "algorithmica", "title": "'merge_sort::merge()' crashes with double-free for `T: Drop`", "date": "2021-03-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0038", "package": "fltk", "title": "Multiple memory safety issues", "date": "2021-03-06", "patched_versions": [ ">= 0.15.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0037", "package": "diesel", "title": "Fix a use-after-free bug in diesels Sqlite backend", "date": "2021-03-05", "patched_versions": [ ">= 1.4.6" ], "commit_sha": "ae72835078156a3ff3b5b17e2a235189ef892af7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0035", "package": "quinn", "title": "`quinn` invalidly assumes the memory layout of std::net::SocketAddr", "date": "2021-03-04", "patched_versions": [ "^0.5.4", "^0.6.2", ">= 0.7.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0036", "package": "internment", "title": "Intern: Data race allowed on T", "date": "2021-03-03", "patched_versions": [ ">= 0.4.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0032", "package": "byte_struct", "title": "Deserializing an array can drop uninitialized memory on panic", "date": "2021-03-01", "patched_versions": [ ">= 0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0062", "package": "miscreant", "title": "project abandoned; migrate to the `aes-siv` crate", "date": "2021-02-28", "patched_versions": [], "commit_sha": "5d921f579e0c2b9960d472cf377b8487d97fbcec", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0052", "package": "id-map", "title": "Multiple functions can cause double-frees", "date": "2021-02-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0050", "package": "reorder", "title": "swap_index can write out of bounds and return uninitialized memory", "date": "2021-02-24", "patched_versions": [ ">= 1.1.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0033", "package": "stack_dst", "title": "push_cloned can drop uninitialized memory or double free on panic", "date": "2021-02-22", "patched_versions": [ ">= 0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0047", "package": "slice-deque", "title": "SliceDeque::drain_filter can double drop an element if the predicate panics", "date": "2021-02-19", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0028", "package": "toodee", "title": "Multiple memory safety issues in insert_row", "date": "2021-02-19", "patched_versions": [ ">= 0.3.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0048", "package": "stackvector", "title": "StackVec::extend can write out of bounds when size_hint is incorrect", "date": "2021-02-19", "patched_versions": [ ">= 1.0.9" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0030", "package": "scratchpad", "title": "move_elements can double-free objects on panic", "date": "2021-02-18", "patched_versions": [ ">= 1.3.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0049", "package": "through", "title": "`through` and `through_and` causes a double free if the map function panics", "date": "2021-02-18", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0029", "package": "truetype", "title": "Tape::take_bytes exposes uninitialized memory to a user-provided Read", "date": "2021-02-17", "patched_versions": [ ">= 0.30.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0112", "package": "tectonic_xdv", "title": "`Read` on uninitialized buffer may cause UB ('tectonic_xdv' crate)", "date": "2021-02-17", "patched_versions": [ ">= 0.1.12" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0043", "package": "uu_od", "title": "PartialReader passes uninitialized memory to user-provided Read", "date": "2021-02-17", "patched_versions": [ ">= 0.0.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0046", "package": "telemetry", "title": "misc::vec_with_size() can drop uninitialized memory if clone panics", "date": "2021-02-17", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0024", "package": "safe-api", "title": "crate has been renamed to `sn_api`", "date": "2021-02-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0025", "package": "jsonrpc-quic", "title": "crate has been renamed to `qjsonrpc`", "date": "2021-02-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0021", "package": "nb-connect", "title": "`nb-connect` invalidly assumes the memory layout of std::net::SocketAddr", "date": "2021-02-14", "patched_versions": [ ">= 1.0.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0023", "package": "rand_core", "title": "Incorrect check on buffer length when seeding RNGs", "date": "2021-02-12", "patched_versions": [ ">= 0.6.2" ], "commit_sha": "3a03c9eb5350e03a3f540dba2ee34e0984f2c2c2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0044", "package": "rocket", "title": "Use after free possible in `uri::Formatter` on panic", "date": "2021-02-09", "patched_versions": [ ">= 0.4.7" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0019", "package": "xcb", "title": "Multiple soundness issues", "date": "2021-02-04", "patched_versions": [ ">= 1.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0034", "package": "office", "title": "office is unmaintained, use calamine instead", "date": "2021-02-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0018", "package": "qwutils", "title": "insert_slice_clone can double drop if Clone panics.", "date": "2021-02-03", "patched_versions": [ ">= 0.3.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0094", "package": "rdiff", "title": "Window can read out of bounds if Read instance returns more bytes than buffer size", "date": "2021-02-03", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0051", "package": "outer_cgi", "title": "KeyValueReader passes uninitialized memory to Read instance", "date": "2021-01-31", "patched_versions": [ ">= 0.2.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0031", "package": "nano_arena", "title": "split_at allows obtaining multiple mutable references to the same data", "date": "2021-01-31", "patched_versions": [ ">= 0.5.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0017", "package": "postscript", "title": "`Read` on uninitialized buffer may cause UB (`impl Walue for Vec`)", "date": "2021-01-30", "patched_versions": [ ">= 0.14.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0092", "package": "messagepack-rs", "title": "Deserialization functions pass uninitialized memory to user-provided Read", "date": "2021-01-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0016", "package": "ms3d", "title": "`IoReader::read()`: user-provided `Read` on uninitialized buffer may cause UB", "date": "2021-01-26", "patched_versions": [ ">= 0.1.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0042", "package": "insert_many", "title": "insert_many can drop elements twice on panic", "date": "2021-01-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0014", "package": "marc", "title": "Record::read : Custom `Read` on uninitialized buffer may cause UB", "date": "2021-01-26", "patched_versions": [ ">= 2.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0135", "package": "tower-http", "title": "Improper validation of Windows paths could lead to directory traversal attack", "date": "2021-01-21", "patched_versions": [ ">= 0.2.1", ">= 0.1.3, < 0.2.0" ], "commit_sha": "ec394e7e082ed315ab515eddddc4f958361939ef", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0083", "package": "derive-com-impl", "title": "QueryInterface should call AddRef before returning pointer", "date": "2021-01-20", "patched_versions": [ ">= 0.1.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0089", "package": "raw-cpuid", "title": "Optional `Deserialize` implementations lacking validation", "date": "2021-01-20", "patched_versions": [ ">= 9.1.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0013", "package": "raw-cpuid", "title": "Soundness issues in `raw-cpuid`", "date": "2021-01-20", "patched_versions": [ ">= 9.0.0" ], "commit_sha": "b33006702bd96c68a6828f21862f7923eee94f5d", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0152", "package": "out-reference", "title": "`out_reference::Out::from_raw` should be `unsafe`", "date": "2021-01-20", "patched_versions": [ ">= 0.2.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0004", "package": "lazy-init", "title": "Missing Send bound for Lazy", "date": "2021-01-17", "patched_versions": [ "> 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0010", "package": "containers", "title": "panic safety: double drop may happen within `util::{mutate, mutate2}`", "date": "2021-01-12", "patched_versions": [ ">= 0.9.11" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0040", "package": "arenavec", "title": "panic safety: double drop or uninitialized drop of T upon panic", "date": "2021-01-12", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0045", "package": "adtensor", "title": "FromIterator implementation for Vector/Matrix can drop uninitialized memory", "date": "2021-01-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0005", "package": "glsl-layout", "title": "Double drop upon panic in 'fn map_array()'", "date": "2021-01-10", "patched_versions": [ ">= 0.4.0" ], "commit_sha": "4298b9de04c7b721d242f2169dbb6f155788c859", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0009", "package": "basic_dsp_matrix", "title": "panic safety issue in `impl TransformContent for [S; (2|3|4)]`", "date": "2021-01-10", "patched_versions": [ ">= 0.9.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0003", "package": "smallvec", "title": "Buffer overflow in SmallVec::insert_many", "date": "2021-01-08", "patched_versions": [ ">= 0.6.14, < 1.0.0", ">= 1.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0086", "package": "flumedb", "title": "`Read` on uninitialized buffer may cause UB ( `read_entry()` )", "date": "2021-01-07", "patched_versions": [ ">=0.1.6" ], "commit_sha": "14b7440271c9d2316fab52c745e21087559364f6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0007", "package": "av-data", "title": "`Frame::copy_from_raw_parts` can lead to segfault without `unsafe`", "date": "2021-01-07", "patched_versions": [ ">= 0.3.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0090", "package": "ash", "title": "Reading on uninitialized memory may cause UB ( `util::read_spv()` )", "date": "2021-01-07", "patched_versions": [ ">= 0.33.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0087", "package": "columnar", "title": "columnar: `Read` on uninitialized buffer may cause UB (ColumnarReadExt::read_typed_vec())", "date": "2021-01-07", "patched_versions": [ ">= 0.1.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0091", "package": "gfx-auxil", "title": "Reading on uninitialized buffer may cause UB ( `gfx_auxil::read_spirv()` )", "date": "2021-01-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0015", "package": "calamine", "title": "`Sectors::get` accesses unclaimed/uninitialized memory", "date": "2021-01-06", "patched_versions": [ ">= 0.17.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0088", "package": "csv-sniffer", "title": "`Read` on uninitialized memory may cause UB (fn preamble_skipcount())", "date": "2021-01-05", "patched_versions": [ ">= 0.2.0" ], "commit_sha": "c7710414aa256c7cd33fb4530656f5ab38e306f7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0011", "package": "fil-ocl", "title": "EventList's From conversions can double drop on panic.", "date": "2021-01-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0143", "package": "kamadak-exif", "title": "kamadak-exif DoS with untrusted PNG data", "date": "2021-01-04", "patched_versions": [ ">= 0.5.3" ], "commit_sha": "1b05eab57e484cd7d576d4357b9cda7fdc57df8c", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0085", "package": "binjs_io", "title": "'Read' on uninitialized memory may cause UB", "date": "2021-01-03", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0084", "package": "bronzedb-protocol", "title": "`Read` on uninitialized buffer can cause UB (impl of `ReadKVExt`)", "date": "2021-01-03", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0012", "package": "cdr", "title": "Reading uninitialized memory can cause UB (`Deserializer::read_vec`)", "date": "2021-01-02", "patched_versions": [ ">= 0.2.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0008", "package": "bra", "title": "reading on uninitialized buffer can cause UB (`impl BufRead for GreedyAccessReader`)", "date": "2021-01-02", "patched_versions": [ ">= 0.1.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2021-0006", "package": "cache", "title": "Exposes internally used raw pointer", "date": "2021-01-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0132", "package": "array-tools", "title": "`FixedCapacityDequeLike::clone()` can cause dropping uninitialized memory", "date": "2020-12-31", "patched_versions": [ ">= 0.3.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0103", "package": "autorand", "title": "`impl Random` on arrays can lead to dropping uninitialized memory", "date": "2020-12-31", "patched_versions": [ ">= 0.2.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0153", "package": "bite", "title": "`read` on uninitialized buffer may cause UB (bite::read::BiteReadExpandedExt::read_framed_max)", "date": "2020-12-31", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0154", "package": "buffoon", "title": "InputStream::read_exact : `Read` on uninitialized buffer causes UB", "date": "2020-12-31", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0155", "package": "acc_reader", "title": "`Read` on uninitialized buffer in `fill_buf()` and `read_up_to()`", "date": "2020-12-27", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0143", "package": "multiqueue", "title": "Queues allow non-Send types to be sent to other threads, allowing data races", "date": "2020-12-25", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0109", "package": "stderr", "title": "stderr is unmaintained; use eprintln instead", "date": "2020-12-22", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0114", "package": "va-ts", "title": "`Demuxer` can carry non-Send types across thread boundaries", "date": "2020-12-22", "patched_versions": [ ">= 0.0.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0101", "package": "conquer-once", "title": "conquer-once's OnceCell lacks Send bound for its Sync trait.", "date": "2020-12-22", "patched_versions": [ ">= 0.3.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0105", "package": "abi_stable", "title": "Update unsound DrainFilter and RString::retain", "date": "2020-12-21", "patched_versions": [ ">= 0.9.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0108", "package": "eventio", "title": "Soundness issue: Input can be misused to create data race to an object", "date": "2020-12-20", "patched_versions": [ ">= 0.5.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0095", "package": "difference", "title": "difference is unmaintained", "date": "2020-12-20", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0106", "package": "multiqueue2", "title": "Queues allow non-Send types to be sent to other threads, allowing data races", "date": "2020-12-19", "patched_versions": [ ">= 0.1.7" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0127", "package": "v9", "title": "SyncRef's clone() and debug() allow data races", "date": "2020-12-18", "patched_versions": [ ">= 0.1.43" ], "commit_sha": "18847c50e5d36561cc91c996c3539ddb1eacf6c7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0112", "package": "buttplug", "title": "ButtplugFutureStateShared allows data race to (!Send|!Sync) objects", "date": "2020-12-18", "patched_versions": [ ">= 1.0.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0152", "package": "max7301", "title": "ImmediateIO and TransactionalIO can cause data races", "date": "2020-12-18", "patched_versions": [ ">= 0.2.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0129", "package": "kekbit", "title": "ShmWriter allows sending non-Send type across threads", "date": "2020-12-18", "patched_versions": [ ">= 0.3.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0098", "package": "rusb", "title": "UsbContext trait did not require implementers to be Send and Sync.", "date": "2020-12-18", "patched_versions": [ ">= 0.7.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0150", "package": "disrustor", "title": "RingBuffer can create multiple mutable references and cause data races", "date": "2020-12-17", "patched_versions": [ ">= 0.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0097", "package": "xcb", "title": "Soundness issue with base::Error", "date": "2020-12-10", "patched_versions": [ ">= 1.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0141", "package": "noise_search", "title": "MvccRwLock allows data races & aliasing violations", "date": "2020-12-10", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0148", "package": "cgc", "title": "Multiple soundness issues in `Ptr`", "date": "2020-12-10", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0091", "package": "arc-swap", "title": "Dangling reference in `access::Map` with Constant", "date": "2020-12-10", "patched_versions": [ ">= 0.4.8, < 1.0.0-0", ">= 1.1.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0118", "package": "tiny_future", "title": "Future lacks bounds on Send and Sync.", "date": "2020-12-08", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0124", "package": "async-coap", "title": "ArcGuard's Send and Sync should have bounds on RC", "date": "2020-12-08", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0104", "package": "gfwx", "title": "ImageChunkMut needs bounds on its Send and Sync traits", "date": "2020-12-08", "patched_versions": [ ">= 0.3.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0084", "package": "safe_authenticator", "title": "crate has been superseded by `sn_client`", "date": "2020-12-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0085", "package": "safe_vault", "title": "crate has been renamed to `sn_node`", "date": "2020-12-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0086", "package": "safe_core", "title": "crate has been renamed to `sn_client`", "date": "2020-12-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0083", "package": "safe_app", "title": "crate has been superseded by `sn_client`", "date": "2020-12-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0082", "package": "ordered-float", "title": "ordered_float:NotNan may contain NaN after panic in assignment operators", "date": "2020-12-06", "patched_versions": [ "^1.1.1", ">= 2.0.1" ], "commit_sha": "c55cda301c943270b7eb2b4765bedbcce56edb90", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0077", "package": "memmap", "title": "memmap is unmaintained", "date": "2020-12-02", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0094", "package": "reffers", "title": "Unsound: can make `ARefss` contain a !Send, !Sync object.", "date": "2020-12-01", "patched_versions": [ ">= 0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0088", "package": "magnetic", "title": "MPMCConsumer/Producer allows sending non-Send type across threads", "date": "2020-11-29", "patched_versions": [ ">= 2.0.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0142", "package": "syncpool", "title": "Send bound needed on T (for Send impl of `Bucket2`)", "date": "2020-11-29", "patched_versions": [ ">= 0.1.6" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0075", "package": "branca", "title": "Unexpected panic when decoding tokens", "date": "2020-11-29", "patched_versions": [ ">= 0.10.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0074", "package": "pyo3", "title": "Reference counting error in `From>`", "date": "2020-11-28", "patched_versions": [ ">= 0.12.4" ], "commit_sha": "1ee3961a0de6a74a4c5160c97a88696a2164025b", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0117", "package": "conqueue", "title": "QueueSender/QueueReceiver: Send/Sync impls need `T: Send`", "date": "2020-11-24", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0128", "package": "cache", "title": "Cache: Send/Sync impls needs trait bounds on `K`", "date": "2020-11-24", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0125", "package": "convec", "title": "convec::ConVec unconditionally implements Send/Sync", "date": "2020-11-24", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0071", "package": "time", "title": "Potential segfault in the time crate", "date": "2020-11-18", "patched_versions": [ ">= 0.2.23" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0135", "package": "slock", "title": "Slock allows sending non-Send types across thread boundaries", "date": "2020-11-17", "patched_versions": [ ">= 0.2.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0119", "package": "ticketed_lock", "title": "ReadTicket and WriteTicket should only be sendable when T is Send", "date": "2020-11-17", "patched_versions": [ ">= 0.3.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0087", "package": "try-mutex", "title": "TryMutex allows sending non-Send type across threads", "date": "2020-11-17", "patched_versions": [ ">= 0.3.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0151", "package": "generator", "title": "Generators can cause data races if non-Send types are used in their generator functions", "date": "2020-11-16", "patched_versions": [ ">= 0.7.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0115", "package": "ruspiro-singleton", "title": "Singleton lacks bounds on Send and Sync.", "date": "2020-11-16", "patched_versions": [ ">= 0.4.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0149", "package": "appendix", "title": "Data race and memory safety issue in `Index`", "date": "2020-11-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0126", "package": "signal-simple", "title": "SyncChannel can move 'T: !Send' to other threads", "date": "2020-11-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0136", "package": "toolshed", "title": "CopyCell lacks bounds on its Send trait allowing for data races", "date": "2020-11-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0133", "package": "scottqueue", "title": "Queue should have a Send bound on its Send/Sync traits", "date": "2020-11-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0116", "package": "unicycle", "title": "PinSlab and Unordered need bounds on their Send/Sync traits", "date": "2020-11-15", "patched_versions": [ ">= 0.7.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0134", "package": "parc", "title": "`LockWeak` allows to create data race to `T`.", "date": "2020-11-14", "patched_versions": [], "commit_sha": "5e43ee86e6a67153ff65da2051f6eb0a77f2c6b8", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0131", "package": "rcu_cell", "title": "Send/Sync bound needed on T for Send/Sync impl of RcuCell", "date": "2020-11-14", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0092", "package": "concread", "title": "Send/Sync bound needed on V in `impl Send/Sync for ARCache`", "date": "2020-11-13", "patched_versions": [ ">= 0.2.6" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0080", "package": "miow", "title": "`miow` invalidly assumes the memory layout of std::net::SocketAddr", "date": "2020-11-13", "patched_versions": [ "^ 0.2.2", ">= 0.3.6" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0073", "package": "image", "title": "Mutable reference with immutable provenance", "date": "2020-11-12", "patched_versions": [ ">= 0.23.12" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0130", "package": "bunch", "title": "Bunch unconditionally implements Send/Sync", "date": "2020-11-12", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0069", "package": "lettre", "title": "Argument injection in sendmail transport", "date": "2020-11-11", "patched_versions": [ ">= 0.10.0-alpha.4", "< 0.10.0-alpha.1, >= 0.9.5", "< 0.9.0, >= 0.8.4", "< 0.8.0, >= 0.7.1" ], "commit_sha": "4a9d4fbf7e0ab66041a53f19f8c64fb4d5baf4a1", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0140", "package": "model", "title": "`Shared` can cause a data race", "date": "2020-11-10", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0107", "package": "hashconsing", "title": "hashconsing's HConsed lacks Send/Sync bound for its Send/Sync trait.", "date": "2020-11-10", "patched_versions": [ ">= 1.1.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0137", "package": "lever", "title": "AtomicBox lacks bound on its Send and Sync traits allowing data races", "date": "2020-11-10", "patched_versions": [ ">= 0.1.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0102", "package": "late-static", "title": "LateStatic has incorrect Sync bound", "date": "2020-11-10", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0121", "package": "abox", "title": "AtomicBox implements Send/Sync for any `T: Sized`", "date": "2020-11-10", "patched_versions": [ ">= 0.4.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0120", "package": "libsbc", "title": "`Decoder` can carry `R: !Send` to other threads", "date": "2020-11-10", "patched_versions": [ ">= 0.1.5" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0111", "package": "may_queue", "title": "may_queue's Queue lacks Send/Sync bound for its Send/Sync trait.", "date": "2020-11-10", "patched_versions": [ ">= 0.1.8" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0159", "package": "chrono", "title": "Potential segfault in `localtime_r` invocations", "date": "2020-11-10", "patched_versions": [ ">=0.4.20" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0096", "package": "im", "title": "TreeFocus lacks bounds on its Send and Sync traits", "date": "2020-11-09", "patched_versions": [ ">= 15.1.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0070", "package": "lock_api", "title": "Some lock_api lock guard objects can cause data races", "date": "2020-11-08", "patched_versions": [ ">= 0.4.2" ], "commit_sha": "7de94f95f519d8281cb48457964065b463d26736", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0068", "package": "multihash", "title": "Unexpected panic in multihash `from_slice` parsing code", "date": "2020-11-08", "patched_versions": [ ">= 0.11.3" ], "commit_sha": "be17038714fc702ee96b7abbadb594095f9b0c88", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0078", "package": "net2", "title": "`net2` invalidly assumes the memory layout of std::net::SocketAddr", "date": "2020-11-07", "patched_versions": [ ">= 0.2.36" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0079", "package": "socket2", "title": "`socket2` invalidly assumes the memory layout of std::net::SocketAddr", "date": "2020-11-06", "patched_versions": [ ">= 0.3.16" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0163", "package": "term_size", "title": "`term_size` is unmaintained; use `terminal_size` instead", "date": "2020-11-03", "patched_versions": [], "commit_sha": "5889fdc589d267182cc946faa24e0e3166a70000", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0064", "package": "ffi_utils", "title": "crate has been renamed to `sn_ffi_utils`", "date": "2020-11-02", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0145", "package": "heapless", "title": "Use-after-free when cloning a partially consumed `Vec` iterator", "date": "2020-11-02", "patched_versions": [ ">= 0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0065", "package": "fake_clock", "title": "crate has been renamed to `sn_fake_clock`", "date": "2020-11-02", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0067", "package": "quic-p2p", "title": "crate has been renamed to `qp2p`", "date": "2020-11-02", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0076", "package": "routing", "title": "crate has been renamed to `sn_routing`", "date": "2020-11-02", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0063", "package": "safe-nd", "title": "crate has been renamed to `safe-nd`", "date": "2020-11-02", "patched_versions": [], "commit_sha": "ab73c1a9e325b5bb3230aaea294fc7f9a75f37d3", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0081", "package": "mio", "title": "`mio` invalidly assumes the memory layout of std::net::SocketAddr", "date": "2020-11-02", "patched_versions": [ ">= 0.7.6" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0066", "package": "safe_bindgen", "title": "crate has been renamed to `sn_bindgen`", "date": "2020-11-02", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0072", "package": "futures-intrusive", "title": "GenericMutexGuard allows data races of non-Sync types across threads", "date": "2020-10-31", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0113", "package": "atomic-option", "title": "AtomicOption should have Send + Sync bound on its type argument.", "date": "2020-10-31", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0122", "package": "beef", "title": "beef::Cow lacks a Sync bound on its Send trait allowing for data races", "date": "2020-10-28", "patched_versions": [ ">= 0.5.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0059", "package": "futures-util", "title": "MutexGuard::map can cause a data race in safe code", "date": "2020-10-22", "patched_versions": [ ">= 0.3.7" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0058", "package": "stream-cipher", "title": "crate has been renamed to `cipher`", "date": "2020-10-15", "patched_versions": [], "commit_sha": "5fcffeb4b1a817a3f3954d0047a205013ac502e4", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0057", "package": "block-cipher", "title": "crate has been renamed to `cipher`", "date": "2020-10-15", "patched_versions": [], "commit_sha": "5fcffeb4b1a817a3f3954d0047a205013ac502e4", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0051", "package": "rustsec", "title": "Obsolete versions of the `rustsec` crate do not support the new V3 advisory format", "date": "2020-10-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0050", "package": "dync", "title": "VecCopy allows misaligned access to elements", "date": "2020-09-27", "patched_versions": [ ">= 0.5.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0047", "package": "array-queue", "title": "array_queue pop_back() may cause a use-after-free", "date": "2020-09-26", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0043", "package": "ws", "title": "Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory", "date": "2020-09-25", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0042", "package": "stack", "title": "Missing check in ArrayVec leads to out-of-bounds write.", "date": "2020-09-24", "patched_versions": [ ">= 0.3.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0044", "package": "atom", "title": "Unsafe Send implementation in Atom allows data races", "date": "2020-09-21", "patched_versions": [ ">= 0.3.6" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0041", "package": "sized-chunks", "title": "Multiple soundness issues in Chunk and InlineArray", "date": "2020-09-06", "patched_versions": [ ">= 0.6.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0166", "package": "personnummer", "title": "personnummer Input validation error", "date": "2020-09-04", "patched_versions": [ ">= 3.0.1" ], "commit_sha": "11c3b0491b70449fb790056585ad3251b0e23acb", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0060", "package": "futures-task", "title": "futures_task::waker may cause a use-after-free if used on a type that isn't 'static", "date": "2020-09-04", "patched_versions": [ ">= 0.3.6" ], "commit_sha": "4d54611f93cecab7fb6072db436064e92fefb5e2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0039", "package": "simple-slab", "title": "`index()` allows out-of-bound read and `remove()` has off-by-one error", "date": "2020-09-03", "patched_versions": [ ">= 0.3.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0038", "package": "ordnung", "title": "Memory safety issues in `compact::Vec`", "date": "2020-09-03", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0040", "package": "obstack", "title": "Obstack generates unaligned references", "date": "2020-09-03", "patched_versions": [ ">= 0.1.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0037", "package": "crayon", "title": "Misbehaving `HandleLike` implementation can lead to memory safety violation", "date": "2020-08-31", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0164", "package": "cell-project", "title": "`cell-project` used incorrect variance when projecting through `&Cell`", "date": "2020-08-27", "patched_versions": [ ">= 0.1.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0034", "package": "arr", "title": "Multiple security issues including data race, buffer overflow, and uninitialized memory drop", "date": "2020-08-25", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0035", "package": "chunky", "title": "Chunk API does not respect align requirement", "date": "2020-08-25", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0032", "package": "alpm-rs", "title": "StrcCtx deallocates a memory region that it doesn't own", "date": "2020-08-20", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0030", "package": "mozwire", "title": "Missing sanitization in mozwire allows local file overwrite of files ending in .conf", "date": "2020-08-18", "patched_versions": [ "> 0.4.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0168", "package": "mach", "title": "mach is unmaintained", "date": "2020-07-14", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0165", "package": "mozjpeg", "title": "mozjpeg DecompressScanlines::read_scanlines is Unsound", "date": "2020-07-04", "patched_versions": [ ">= 0.8.19" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0052", "package": "crossbeam-channel", "title": "Undefined Behavior in bounded channel", "date": "2020-06-26", "patched_versions": [ ">= 0.4.4" ], "commit_sha": "772b4f34eb574ab6ae058bd068545dc739196f6b", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0026", "package": "linked-hash-map", "title": "linked-hash-map creates uninitialized NonNull pointer", "date": "2020-06-23", "patched_versions": [ ">= 0.5.3" ], "commit_sha": "4f681be6f3b1b2c7d67647ce3abbe48470e20855", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0167", "package": "pnet_packet", "title": "`pnet_packet` buffer overrun in `set_payload` setters", "date": "2020-06-19", "patched_versions": [ ">= 0.27.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0031", "package": "tiny_http", "title": "HTTP Request smuggling through malformed Transfer Encoding headers", "date": "2020-06-16", "patched_versions": [ ">= 0.8.0", "^0.6.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0029", "package": "rgb", "title": "Allows viewing and modifying arbitrary structs as bytes", "date": "2020-06-14", "patched_versions": [ ">= 0.8.20" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0027", "package": "traitobject", "title": "traitobject assumes the layout of fat pointers", "date": "2020-06-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0100", "package": "sys-info", "title": "Double free when calling `sys_info::disk_info` from multiple threads", "date": "2020-05-31", "patched_versions": [ ">= 0.8.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0017", "package": "internment", "title": "Use after free in ArcIntern::drop", "date": "2020-05-28", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0028", "package": "rocket", "title": "`LocalRequest::clone` creates multiple mutable references to the same object", "date": "2020-05-27", "patched_versions": [ ">= 0.4.5" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0018", "package": "block-cipher-trait", "title": "crate has been renamed to `block-cipher`", "date": "2020-05-26", "patched_versions": [], "commit_sha": "0af45181b907d66c93a1b1eaf43f36ceef040f8b", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0019", "package": "tokio-rustls", "title": "tokio-rustls reads may cause excessive memory usage", "date": "2020-05-19", "patched_versions": [ ">= 0.12.3, < 0.13.0", ">= 0.13.1" ], "commit_sha": "3be701cefb573341db74254f137a4d54aefa44ce", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0021", "package": "rio", "title": "rio allows a use-after-free buffer access when a future is leaked", "date": "2020-05-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0025", "package": "bigint", "title": "bigint is unmaintained, use uint instead", "date": "2020-05-07", "patched_versions": [], "commit_sha": "7e71521a61b009afc94c91135353102658550d42", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0056", "package": "stdweb", "title": "stdweb is unmaintained", "date": "2020-05-04", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0061", "package": "futures-task", "title": "futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer", "date": "2020-05-03", "patched_versions": [ ">= 0.3.5" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0036", "package": "failure", "title": "failure is officially deprecated/unmaintained", "date": "2020-05-02", "patched_versions": [], "commit_sha": "135e2a3b9af422d9a9dc37ce7c69354c9b36e94b", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0016", "package": "net2", "title": "`net2` crate has been deprecated; use `socket2` instead", "date": "2020-05-01", "patched_versions": [], "commit_sha": "3350e3819adf151709047e93f25583a5df681091", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0012", "package": "os_str_bytes", "title": "Relies on undefined behavior of `char::from_u32_unchecked`", "date": "2020-04-24", "patched_versions": [ ">= 2.0.0" ], "commit_sha": "2a5a2053bfabdb3ac1aa78e6d2cefc5c2c941984", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0009", "package": "flatbuffers", "title": "`read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks", "date": "2020-04-11", "patched_versions": [ ">= 2.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0146", "package": "generic-array", "title": "arr! macro erases lifetimes", "date": "2020-04-09", "patched_versions": [ ">= 0.8.4, < 0.9.0", ">= 0.9.1, < 0.10.0", ">= 0.10.1, < 0.11.0", ">= 0.11.2, < 0.12.0", ">= 0.12.4, < 0.13.0", ">= 0.13.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0007", "package": "bitvec", "title": "use-after or double free of allocated memory", "date": "2020-03-27", "patched_versions": [ ">= 0.17.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0006", "package": "bumpalo", "title": "Flaw in `realloc` allows reading unknown memory", "date": "2020-03-24", "patched_versions": [ ">= 3.2.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0008", "package": "hyper", "title": "Flaw in hyper allows request smuggling by sending a body in GET requests", "date": "2020-03-19", "patched_versions": [ ">= 0.12.34" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0005", "package": "cbox", "title": "CBox API allows to de-reference raw pointers without `unsafe` code", "date": "2020-03-19", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0010", "package": "tiberius", "title": "tiberius is unmaintained", "date": "2020-02-28", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0147", "package": "rulinalg", "title": "rulinalg is unmaintained, use nalgebra instead", "date": "2020-02-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0023", "package": "rulinalg", "title": "Lifetime boundary for `raw_slice` and `raw_slice_mut` are incorrect", "date": "2020-02-11", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0144", "package": "lzw", "title": "lzw is unmaintained", "date": "2020-02-10", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0158", "package": "slice-deque", "title": "slice-deque is unmaintained", "date": "2020-02-10", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0169", "package": "multi_mut", "title": "multi_mut is Unmaintained", "date": "2020-02-07", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0162", "package": "tokio-proto", "title": "`tokio-proto` is deprecated/unmaintained", "date": "2020-02-06", "patched_versions": [], "commit_sha": "56c720ea3c74efa8f39e36c24e609628222b16a1", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0049", "package": "actix-codec", "title": "Use-after-free in Framed due to lack of pinning", "date": "2020-01-30", "patched_versions": [ ">= 0.3.0-beta.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0004", "package": "lucet-runtime-internals", "title": "sigstack allocation bug can cause memory corruption or leak", "date": "2020-01-24", "patched_versions": [ "< 0.5.0, >= 0.4.3", ">= 0.5.1" ], "commit_sha": "a88bb29c27c9ab834726eaf0d35e3a6cf4bc1d68", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0062", "package": "futures-util", "title": "Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption", "date": "2020-01-24", "patched_versions": [ ">= 0.3.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0048", "package": "actix-http", "title": "Use-after-free in BodyStream due to lack of pinning", "date": "2020-01-24", "patched_versions": [ ">= 2.0.0-alpha.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0123", "package": "libp2p-deflate", "title": "Contents of uninitialized memory exposed in DeflateOutput's AsyncRead implementation", "date": "2020-01-24", "patched_versions": [ ">= 0.27.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0160", "package": "shamir", "title": "Threshold value is ignored (all shares are n=3)", "date": "2020-01-21", "patched_versions": [ ">= 2.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0003", "package": "rust_sodium", "title": "rust_sodium is unmaintained; switch to a modern alternative", "date": "2020-01-20", "patched_versions": [], "commit_sha": "62ee6de8dfdd8890283f4170056b0eb3fcf184fc", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0002", "package": "prost", "title": "Parsing a specially crafted message can result in a stack overflow", "date": "2020-01-16", "patched_versions": [ ">= 0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0046", "package": "actix-service", "title": "bespoke Cell implementation allows obtaining several mutable references to the same data", "date": "2020-01-08", "patched_versions": [ ">= 1.0.6" ], "commit_sha": "a67e38b4a07c92a3c81fa833f9eb1e91e74e39b7", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0045", "package": "actix-utils", "title": "bespoke Cell implementation allows obtaining several mutable references to the same data", "date": "2020-01-08", "patched_versions": [ ">= 2.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2020-0001", "package": "trust-dns-server", "title": "Stack overflow when resolving additional records from MX or SRV null targets", "date": "2020-01-06", "patched_versions": [ ">= 0.18.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0031", "package": "spin", "title": "spin is no longer actively maintained", "date": "2019-11-21", "patched_versions": [], "commit_sha": "7516c8037d3d15712ba4d8499ab075e97a19d778", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0033", "package": "http", "title": "Integer Overflow in HeaderMap::reserve() can cause Denial of Service", "date": "2019-11-16", "patched_versions": [ ">= 0.1.20" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0036", "package": "failure", "title": "Type confusion if __private_get_type_id__ is overridden", "date": "2019-11-13", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0029", "package": "chacha20", "title": "ChaCha20 counter overflow can expose repetitions in the keystream", "date": "2019-10-22", "patched_versions": [ ">= 0.2.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0028", "package": "flatbuffers", "title": "Unsound `impl Follow for bool`", "date": "2019-10-20", "patched_versions": [ ">= 0.6.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0026", "package": "sodiumoxide", "title": "generichash::Digest::eq always return true", "date": "2019-10-11", "patched_versions": [ ">= 0.2.5" ], "commit_sha": "fae052b834b097ced9a89a8fff8466e18f383070", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0024", "package": "rustsec-example-crate", "title": "Test advisory with associated example crate", "date": "2019-10-08", "patched_versions": [ ">= 1.0.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0030", "package": "streebog", "title": "Incorrect implementation of the Streebog hash functions", "date": "2019-10-06", "patched_versions": [ ">= 0.8.0" ], "commit_sha": "9695573914ad96f234ecabf9ecee2dbb3a6a36ed", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0022", "package": "portaudio-rs", "title": "Stream callback function is not unwind safe", "date": "2019-09-14", "patched_versions": [ "> 0.3.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0021", "package": "linea", "title": "`Matrix::zip_elements` causes double free", "date": "2019-09-14", "patched_versions": [ "> 0.9.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0020", "package": "generator", "title": "fix unsound APIs that could lead to UB", "date": "2019-09-06", "patched_versions": [ ">= 0.6.18" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0018", "package": "renderdoc", "title": "Internally mutating methods take immutable ref self", "date": "2019-09-02", "patched_versions": [ ">= 0.5.0" ], "commit_sha": "22351fe532cf480e26a7ad8717d86a023da8f1d6", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0016", "package": "chttp", "title": "Use-after-free in buffer conversion implementation", "date": "2019-09-01", "patched_versions": [ ">= 0.1.3" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0017", "package": "once_cell", "title": "Panic during initialization of Lazy might trigger undefined behavior", "date": "2019-09-01", "patched_versions": [ ">= 1.0.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0013", "package": "spin", "title": "Wrong memory orderings in RwLock potentially violates mutual exclusion", "date": "2019-08-27", "patched_versions": [ ">= 0.5.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0019", "package": "blake2", "title": "HMAC-BLAKE2 algorithms compute incorrect results", "date": "2019-08-25", "patched_versions": [ ">= 0.8.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0023", "package": "string-interner", "title": "Cloned interners may read already dropped strings", "date": "2019-08-24", "patched_versions": [ "^0.6.4", ">= 0.7.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0014", "package": "image", "title": "Flaw in interface may drop uninitialized instance of arbitrary types", "date": "2019-08-21", "patched_versions": [ ">= 0.21.3" ], "commit_sha": "214e6467a1e32e690f08f0b34dea540625b6724c", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0012", "package": "smallvec", "title": "Memory corruption in SmallVec::grow()", "date": "2019-07-19", "patched_versions": [ ">= 0.6.10" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0011", "package": "memoffset", "title": "Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code", "date": "2019-07-16", "patched_versions": [ ">= 0.5.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0010", "package": "libflate", "title": "MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code", "date": "2019-07-04", "patched_versions": [ ">= 0.1.25" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0008", "package": "simd-json", "title": "Flaw in string parsing can lead to crashes due to invalid memory access.", "date": "2019-06-24", "patched_versions": [ ">= 0.1.15" ], "commit_sha": "32fcd779cf20f14902b3dd11ced83d9611fb821f", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0040", "package": "boxfnonce", "title": "`boxfnonce` obsolete with release of Rust 1.35.0", "date": "2019-06-20", "patched_versions": [], "commit_sha": "058ac7e1a7d732076da9d8a37baa66bcb67758d8", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0005", "package": "pancurses", "title": "Format string vulnerabilities in `pancurses`", "date": "2019-06-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0006", "package": "ncurses", "title": "Buffer overflow and format vulnerabilities in functions exposed without unsafe", "date": "2019-06-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0007", "package": "asn1_der", "title": "Processing of maliciously crafted length fields causes memory allocation SIGABRTs", "date": "2019-06-13", "patched_versions": [ ">= 0.6.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0037", "package": "pnet", "title": "Compiler optimisation for next_with_timeout in pnet::transport::IcmpTransportChannelIterator flaws to SEGFAULT", "date": "2019-06-11", "patched_versions": [ ">= 0.27.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0003", "package": "protobuf", "title": "Out of Memory in stream::read_raw_bytes_into()", "date": "2019-06-08", "patched_versions": [ "^1.7.5", ">= 2.6.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0009", "package": "smallvec", "title": "Double-free and use-after-free in SmallVec::grow()", "date": "2019-06-06", "patched_versions": [ ">= 0.6.10" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0015", "package": "compact_arena", "title": "Flaw in generativity allows out-of-bounds access", "date": "2019-05-21", "patched_versions": [ ">= 0.4.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0002", "package": "slice-deque", "title": "Bug in SliceDeque::move_head_unchecked corrupts its memory", "date": "2019-05-07", "patched_versions": [ ">= 0.2.0" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0039", "package": "typemap", "title": "typemap is Unmaintained", "date": "2019-04-06", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2019-0038", "package": "libpulse-binding", "title": "Fix for UB in failure to catch panics crossing FFI boundaries", "date": "2019-03-10", "patched_versions": [ ">= 2.6.0" ], "commit_sha": "7fd282aef7787577c385aed88cb25d004b85f494", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0012", "package": "orion", "title": "Flaw in streaming state reset() functions can create incorrect results.", "date": "2018-12-20", "patched_versions": [ ">= 0.11.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0011", "package": "arrayfire", "title": "Enum repr causing potential memory corruption", "date": "2018-12-18", "patched_versions": [ ">= 3.6.0" ], "commit_sha": "a5256f3e5e23b83eaad69699e0b04653aba04fb8", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0009", "package": "crossbeam", "title": "MsQueue and SegQueue suffer from double-free", "date": "2018-12-09", "patched_versions": [ ">= 0.4.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0008", "package": "slice-deque", "title": "Bug in SliceDeque::move_head_unchecked allows read of corrupted memory", "date": "2018-12-05", "patched_versions": [ ">= 0.1.16" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0013", "package": "safe-transmute", "title": "Vec-to-vec transmutations could lead to heap overflow/corruption", "date": "2018-11-27", "patched_versions": [ ">= 0.10.1" ], "commit_sha": "a134e06d740f9d7c287f74c0af2cd06206774364", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0015", "package": "term", "title": "term is looking for a new maintainer", "date": "2018-11-19", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0018", "package": "smallvec", "title": "smallvec creates uninitialized value of any type", "date": "2018-09-25", "patched_versions": [ ">= 0.6.13" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0006", "package": "yaml-rust", "title": "Uncontrolled recursion leads to abort in deserialization", "date": "2018-09-17", "patched_versions": [ ">= 0.4.1" ], "commit_sha": "7eb6b6afa9b1e3122f4a1ca06ec8390496eb3d57", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0005", "package": "serde_yaml", "title": "Uncontrolled recursion leads to abort in deserialization", "date": "2018-09-17", "patched_versions": [ ">= 0.8.4" ], "commit_sha": "41d58237a733051603069d1249c549cc8b6dada0", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0004", "package": "claxon", "title": "Malicious input could cause uninitialized memory to be exposed", "date": "2018-08-25", "patched_versions": [ "^0.3.2", ">= 0.4.1" ], "commit_sha": "8f28ec275e412dd3af4f3cda460605512faf332c", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0022", "package": "temporary", "title": "Use of uninitialized memory in temporary", "date": "2018-08-22", "patched_versions": [ ">= 0.6.4" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0014", "package": "chan", "title": "chan is end-of-life; use crossbeam-channel instead", "date": "2018-07-31", "patched_versions": [], "commit_sha": "0a5c0d4ad4adc90a54ee04a427389acf2e157275", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0003", "package": "smallvec", "title": "Possible double free during unwinding in SmallVec::insert_many", "date": "2018-07-19", "patched_versions": [ ">= 0.6.3", "^0.3.4", "^0.4.5", "^0.5.1" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0016", "package": "quickersort", "title": "quickersort is deprecated and unmaintained", "date": "2018-06-30", "patched_versions": [], "commit_sha": "0bc164366315801f0c6b31f4081b7df9fc894076", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0002", "package": "tar", "title": "Links in archives can overwrite any existing file", "date": "2018-06-29", "patched_versions": [ ">= 0.4.16" ], "commit_sha": "54651a87ae6ba7d81fcc72ffdee2ea7eca2c7e85", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0001", "package": "untrusted", "title": "An integer underflow could lead to panic", "date": "2018-06-21", "patched_versions": [ ">= 0.6.2" ], "commit_sha": "1cf31901e7220af96c05fcb505978757fdae4a77", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0019", "package": "actix-web", "title": "Multiple memory safety issues", "date": "2018-06-08", "patched_versions": [ ">= 0.7.15" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0010", "package": "openssl", "title": "Use after free in CMS Signing", "date": "2018-06-01", "patched_versions": [ ">= 0.10.9" ], "commit_sha": "63afe3016c5c3e615dca2fd27a5ed09a4a025359", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2018-0017", "package": "tempdir", "title": "`tempdir` crate has been deprecated; use `tempfile` instead", "date": "2018-02-13", "patched_versions": [], "commit_sha": "bad6689835d1e4a836cc7e936a270459f84520a2", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2017-0006", "package": "rmpv", "title": "Unchecked vector pre-allocation", "date": "2017-11-21", "patched_versions": [ ">= 0.4.2" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2017-0008", "package": "serial", "title": "`serial` crate is unmaintained", "date": "2017-07-02", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2017-0005", "package": "cookie", "title": "Large cookie Max-Age values can cause a denial of service", "date": "2017-05-06", "patched_versions": [ "< 0.6.0", "^0.6.2", ">= 0.7.6" ], "commit_sha": "958785422bbc7d683bce4b3f9a91318b0386310d", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2017-0004", "package": "base64", "title": "Integer overflow leads to heap-based buffer overflow in encode_config_buf", "date": "2017-05-03", "patched_versions": [ ">= 0.5.2" ], "commit_sha": "24ead980daf11ba563e4fb2516187a56a71ad319", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2017-0003", "package": "security-framework", "title": "Hostname verification skipped when custom root certs used", "date": "2017-03-15", "patched_versions": [ ">= 0.1.12" ], "commit_sha": "fec804cdb8d5e3cc5c78e0c7cb0317121d2b5dcf", "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2017-0001", "package": "sodiumoxide", "title": "scalarmult() vulnerable to degenerate public keys", "date": "2017-01-26", "patched_versions": [ ">= 0.0.14" ], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2016-0006", "package": "cassandra", "title": "`cassandra` crate is unmaintained; use `cassandra-cpp` instead", "date": "2016-12-15", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2016-0004", "package": "libusb", "title": "libusb is unmaintained; use rusb instead", "date": "2016-09-10", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2016-0005", "package": "rust-crypto", "title": "rust-crypto is unmaintained; switch to a modern alternative", "date": "2016-09-06", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] }, { "advisory_id": "RUSTSEC-2016-0003", "package": "portaudio", "title": "HTTP download and execution allows MitM RCE", "date": "2016-08-01", "patched_versions": [], "commit_sha": null, "vulnerable_symbols": [] } ] }