SUSE-SU-2026:0505-1

Опубликовано: 13 фев. 2026

Источник: suse-cvrf

Описание

Security update for cargo-auditable

This update for cargo-auditable fixes the following issues:

Update to version 0.7.2~0.

Security issues fixed:

CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257906).

Other updates and bugfixes:

Update to version 0.7.2~0:
- mention cargo-dist in README
- commit Cargo.lock
- bump which dev-dependency to 8.0.0
- bump object to 0.37
- Upgrade cargo_metadata to 0.23
- Expand the set of dist platforms in config
Update to version 0.7.1~0:
- Out out of unhelpful clippy lint
- Satisfy clippy
- Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
- Run apt-get update before trying to install packages
- run cargo dist init on dist 0.30
- Drop allow-dirty from dist config, should no longer be needed
- Reorder paragraphs in README
- Note the maintenance transition for the go extraction library
- Editing pass on the adopters: scanners
- clarify Docker support
- Cargo clippy fix
- Add Wolfi OS and Chainguard to adopters
- Update mentions around Anchore tooling
- README and documentation updates for nightly
- Bump dependency version in rust-audit-info
- More work on docs
- Nicer formatting on format revision documentation
- Bump versions
- regenerate JSON schema
- cargo fmt
- Document format field
- Make it more clear that RawVersionInfo is private
- Add format field to the serialized data
- cargo clippy fix
- Add special handling for proc macros to treat them as the build dependencies they are
- Add a test to ensure proc macros are reported as build dependencies
- Add a test fixture for a crate with a proc macro dependency
- parse fully qualified package ID specs from SBOMs
- select first discovered SBOM file
- cargo sbom integration
- Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
- Don't fail plan workflow due to manually changed release.yml
- Bump Ubuntu version to hopefully fix release.yml workflow
- Add test for stripped binary
- Bump version to 0.6.7
- Populate changelog
- README.md: add auditable2cdx, more consistency in text
- Placate clippy
- Do not emit -Wl if a bare linker is in use
- Get rid of a compiler warning
- Add bare linker detection function
- drop boilerplate from test that's no longer relevant
- Add support for recovering rustc codegen options
- More lenient parsing of rustc arguments
- More descriptive error message in case rustc is killed abruptly
- change formatting to fit rustfmt
- More descriptive error message in case cargo is killed
- Update REPLACING_CARGO.md to fix #195
- Clarify osv-scanner support in README
- Include the command required to view metadata
- Mention wasm-tools support
- Switch from broken generic cache action to a Rust-specific one
- Fill in various fields in auditable2cdx Cargo.toml
- Include osv-scanner in the list, with a caveat
- Add link to blint repo to README
- Mention that blint supports our data
- Consolidate target definitions
- Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
- Migrate to a maintained toolchain action
- Fix author specification
- Add link to repository to resolverver Cargo.toml
- Bump resolverver to 0.1.0
- Add resolverver crate to the tree
Update to version 0.6.6~0:
- Note the object upgrade in the changelog
- Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
- Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
- Update dependencies in the lock file
- Populate changelog
- apply clippy lint
- add another --emit parsing test
- shorter code with cargo fmt
- Actually fix cargo-c compatibility
- Attempt to fix cargo-capi incompatibility
- Refactoring in preparation for fixes
- Also read the --emit flag to rustc
- Fill in changelogs
- Bump versions
- Drop cfg'd out tests
- Drop obsolete doc line
- Move dependency cycle tests from auditable-serde to cargo-auditable crate
- Remove cargo_metadata from auditable-serde API surface.
- Apply clippy lint
- Upgrade miniz_oxide to 0.8.0
- Insulate our semver from miniz_oxide semver
- Add support for Rust 2024 edition
- Update tests
- More robust OS detection for riscv feature detection
- bump version
- update changelog for auditable-extract 0.3.5
- Fix wasm component auditable data extraction
- Update blocker description in README.md
- Add openSUSE to adopters
- Update list of know adopters
- Fix detection of riscv64-linux-android target features
- Silence noisy lint
- Bump version requirement in rust-audit-info
- Fill in changelogs
- Bump semver of auditable-info
- Drop obsolete comment now that wasm is enabled by default
- Remove dependency on cargo-lock
- Brag about adoption in the README
- Don't use LTO for cargo-dist builds to make them consistent with cargo install etc
- Also build musl binaries
- dist: update dist config for future releases
- dist(cargo-auditable): ignore auditable2cdx for now
- chore: add cargo-dist