rpm package
opensuse/cargo-audit-advisory-db&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/cargo-audit-advisory-db&distro=openSUSE%20Tumbleweed
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-62370 | Hig | 7.5 | < 20251021-1.1 | 20251021-1.1 | Oct 15, 2025 | Alloy Core libraries at the root of the Rust Ethereum ecosystem. Prior to 0.8.26 and 1.4.1, an uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash(). Software with high availability requirements s | |
| CVE-2025-27591 | — | < 20260213-1.1 | 20260213-1.1 | Mar 11, 2025 | A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files suc | ||
| CVE-2024-52813 | Med | 4.3 | < 20250204-1.1 | 20250204-1.1 | Jan 7, 2025 | matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause | |
| CVE-2024-47609 | Med | — | < 20241030-1.1 | 20241030-1.1 | Oct 1, 2024 | Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out | |
| CVE-2024-40648 | Med | 5.4 | < 20240730-1.1 | 20240730-1.1 | Jul 18, 2024 | matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and | |
| CVE-2024-34063 | Low | 2.5 | < 20240528-1.1 | 20240528-1.1 | May 3, 2024 | vodozemac is an implementation of Olm and Megolm in pure Rust. Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a fe | |
| CVE-2024-28854 | — | < 20240528-1.1 | 20240528-1.1 | Mar 15, 2024 | tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 `TcpStream`s a second, sending 0 bytes, and can trigger a DoS. The default configuration options make any public service | ||
| CVE-2023-49092 | — | < 20231219-1.1 | 20231219-1.1 | Nov 28, 2023 | RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key | ||
| CVE-2022-3786 | Hig | 7.5 | < 20221102-1.1 | 20221102-1.1 | Nov 1, 2022 | A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue ce | |
| CVE-2022-3602 | Hig | 7.5 | < 20221102-1.1 | 20221102-1.1 | Nov 1, 2022 | A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue | |
| CVE-2022-36086 | — | < 20221102-1.1 | 20221102-1.1 | Sep 7, 2022 | linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller tha | ||
| CVE-2022-24791 | — | < 20220420-1.1 | 20220420-1.1 | Mar 31, 2022 | Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is d | ||
| CVE-2022-0778 | Hig | 7.5 | < 20220323-1.1 | 20220323-1.1 | Mar 15, 2022 | The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curv | |
| CVE-2021-32629 | — | < 20210802-1.2 | 20210802-1.2 | May 24, 2021 | Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential | ||
| CVE-2020-8927 | — | < 20220105-1.1 | 20220105-1.1 | Sep 15, 2020 | A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to upda |
- affected < 20251021-1.1fixed 20251021-1.1
Alloy Core libraries at the root of the Rust Ethereum ecosystem. Prior to 0.8.26 and 1.4.1, an uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash(). Software with high availability requirements s
- CVE-2025-27591Mar 11, 2025affected < 20260213-1.1fixed 20260213-1.1
A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files suc
- affected < 20250204-1.1fixed 20250204-1.1
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause
- affected < 20241030-1.1fixed 20241030-1.1
Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out
- affected < 20240730-1.1fixed 20240730-1.1
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and
- affected < 20240528-1.1fixed 20240528-1.1
vodozemac is an implementation of Olm and Megolm in pure Rust. Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a fe
- CVE-2024-28854Mar 15, 2024affected < 20240528-1.1fixed 20240528-1.1
tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 `TcpStream`s a second, sending 0 bytes, and can trigger a DoS. The default configuration options make any public service
- CVE-2023-49092Nov 28, 2023affected < 20231219-1.1fixed 20231219-1.1
RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key
- affected < 20221102-1.1fixed 20221102-1.1
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue ce
- affected < 20221102-1.1fixed 20221102-1.1
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue
- CVE-2022-36086Sep 7, 2022affected < 20221102-1.1fixed 20221102-1.1
linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller tha
- CVE-2022-24791Mar 31, 2022affected < 20220420-1.1fixed 20220420-1.1
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is d
- affected < 20220323-1.1fixed 20220323-1.1
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curv
- CVE-2021-32629May 24, 2021affected < 20210802-1.2fixed 20210802-1.2
Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential
- CVE-2020-8927Sep 15, 2020affected < 20220105-1.1fixed 20220105-1.1
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to upda