advisory-db
advisory-db copied to clipboard
rustsec
Security advisory database for Rust crates published through crates.io
This came up via: https://github.com/clap-rs/clap/issues/1569 The specific case is `clap` is pulling in `rust-yaml` which has [RUSTSEC-2018-0006](https://rustsec.org/advisories/RUSTSEC-2018-0006.html). They use the vulnerable API, but not in a way that triggers the...
[cargo](https://crates.io/crates/cargo) latest version is `0.57`, the cve marks as insecure any version before `1.26`. Please change the db to point to `0.25` instead.
https://lib.rs/crates/fast-floats The crate exposes the `fadd_fast` (and similar) intrinsics to safe code behind the operator traits: https://docs.rs/fast-floats/0.1.2/src/fast_floats/lib.rs.html#93-101 This is unsound because using NAN as an argument to one of those...
The `hexchat` crate has these 'safe' macros https://github.com/pie-flavor/hexchat-rs/blob/master/src/safe_static.rs As the crate itself states, using them with threads is undefined/unsound.
See: https://github.com/reem/rust-traitobject/issues/7 A maintained fork can be found at [`destructured_traitobject`](https://github.com/philip-peterson/destructure_traitobject#author).
A small number of advisories (for example [RUSTSEC-2020-0053](https://github.com/RustSec/advisory-db/blob/main/crates/dirs/RUSTSEC-2020-0053.md)), contain: yanked = true The meaning of the key is not documented in the [Advisory Format](https://github.com/RustSec/advisory-db#advisory-format) section of the README. Best I...
See: https://gitlab.redox-os.org/redox-os/rusttype/-/issues/148 The author says they don't plan on making any new releases and suggests their new [`ab_glyph`](https://github.com/alexheretic/ab-glyph) crate as a successor.
Just in case someone uses https://crates.io/crates/totally-safe-transmute, let's have a permanent advisory against it so that cargo-audit can flag it.
I am not familiar with RustSec, but this probably should be here? https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2
https://github.com/RustyYato/out-ref/issues/1 There was no change for the past two years however I'm not eager to declare a small crate with a single specific job unmaintained if it works. So I'd...
