Security update for cargo-auditable SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0514-1 Final 1 1 2026-02-13T14:57:18Z current 2026-02-13T14:57:18Z 2026-02-13T14:57:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cargo-auditable This update for cargo-auditable fixes the following issues: Update to version 0.7.2~0. Security issues fixed: - CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257906). Other updates and bugfixes: - Update to version 0.7.2~0: * mention cargo-dist in README * commit Cargo.lock * bump which dev-dependency to 8.0.0 * bump object to 0.37 * Upgrade cargo_metadata to 0.23 * Expand the set of dist platforms in config - Update to version 0.7.1~0: * Out out of unhelpful clippy lint * Satisfy clippy * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't * Run apt-get update before trying to install packages * run `cargo dist init` on dist 0.30 * Drop allow-dirty from dist config, should no longer be needed * Reorder paragraphs in README * Note the maintenance transition for the go extraction library * Editing pass on the adopters: scanners * clarify Docker support * Cargo clippy fix * Add Wolfi OS and Chainguard to adopters * Update mentions around Anchore tooling * README and documentation updates for nightly * Bump dependency version in rust-audit-info * More work on docs * Nicer formatting on format revision documentation * Bump versions * regenerate JSON schema * cargo fmt * Document format field * Make it more clear that RawVersionInfo is private * Add format field to the serialized data * cargo clippy fix * Add special handling for proc macros to treat them as the build dependencies they are * Add a test to ensure proc macros are reported as build dependencies * Add a test fixture for a crate with a proc macro dependency * parse fully qualified package ID specs from SBOMs * select first discovered SBOM file * cargo sbom integration * Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out * Don't fail plan workflow due to manually changed release.yml * Bump Ubuntu version to hopefully fix release.yml workflow * Add test for stripped binary * Bump version to 0.6.7 * Populate changelog * README.md: add auditable2cdx, more consistency in text * Placate clippy * Do not emit -Wl if a bare linker is in use * Get rid of a compiler warning * Add bare linker detection function * drop boilerplate from test that's no longer relevant * Add support for recovering rustc codegen options * More lenient parsing of rustc arguments * More descriptive error message in case rustc is killed abruptly * change formatting to fit rustfmt * More descriptive error message in case cargo is killed * Update REPLACING_CARGO.md to fix #195 * Clarify osv-scanner support in README * Include the command required to view metadata * Mention wasm-tools support * Switch from broken generic cache action to a Rust-specific one * Fill in various fields in auditable2cdx Cargo.toml * Include osv-scanner in the list, with a caveat * Add link to blint repo to README * Mention that blint supports our data * Consolidate target definitions * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that * Migrate to a maintained toolchain action * Fix author specification * Add link to repository to resolverver Cargo.toml * Bump resolverver to 0.1.0 * Add resolverver crate to the tree - Update to version 0.6.6~0: * Note the `object` upgrade in the changelog * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint * Update dependencies in the lock file * Populate changelog * apply clippy lint * add another --emit parsing test * shorter code with cargo fmt * Actually fix cargo-c compatibility * Attempt to fix cargo-capi incompatibility * Refactoring in preparation for fixes * Also read the --emit flag to rustc * Fill in changelogs * Bump versions * Drop cfg'd out tests * Drop obsolete doc line * Move dependency cycle tests from auditable-serde to cargo-auditable crate * Remove cargo_metadata from auditable-serde API surface. * Apply clippy lint * Upgrade miniz_oxide to 0.8.0 * Insulate our semver from miniz_oxide semver * Add support for Rust 2024 edition * Update tests * More robust OS detection for riscv feature detection * bump version * update changelog for auditable-extract 0.3.5 * Fix wasm component auditable data extraction * Update blocker description in README.md * Add openSUSE to adopters * Update list of know adopters * Fix detection of `riscv64-linux-android` target features * Silence noisy lint * Bump version requirement in rust-audit-info * Fill in changelogs * Bump semver of auditable-info * Drop obsolete comment now that wasm is enabled by default * Remove dependency on cargo-lock * Brag about adoption in the README * Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc * Also build musl binaries * dist: update dist config for future releases * dist(cargo-auditable): ignore auditable2cdx for now * chore: add cargo-dist - Update to version 0.6.4~0: * Release cargo-auditable v0.6.4 * Correctly attribute changelog file addition in changelog * Add changelog for auditable-extract * Verify various feature combinations in CI * Upgrade wasmparser to remove dependencies with `unsafe` * Add LoongArch support * cargo fmt * Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages * Expand on the note about WebAssembly parsing * Populate changelogs * Resume bragging about all dependencies being safe, now that there is a caveat below * drop fuzz Cargo.lock to always fuzz against latest versions * Bump `cargo auditable` version * Mention WASM support in README * Revert 'Be super duper extra sure both MinGW and MSVC are tested on CI' * Be super duper extra sure both MinGW and MSVC are tested on CI * Add wasm32 targets to CI for more platforms * Don't pass --target twice in tests * Install WASM toolchain in CI * cargo fmt * Add WASM end-to-end test * cargo fmt * Update documentation to mention the WASM feature * cargo fmt * Plumb WASM parsing feature through the whole stack * Make WASM parsing an optional, non-default feature * Add a fuzzing harness for WASM parsing * Rewritten WASM parsing to avoid heap allocations * Initial WASM extraction support * Nicer assertion * Drop obsolete comment * Clarify that embedding the compiler version has shipped. * Fixed section name for WASM * Unified and more robust platform detection. Fixed wasm build process * Initial WASM support * More robust platform detection for picking the binary format * Fix Windows CI to run both -msvc and -gnu * Use the correct link.exe flag for preserving the specified symbol even if it is unused * Fix Windows * Fix tests on Rust 1.77 * Placate clippy * Oopps, I meant components field * Also remove the dependencies field if empty * Use serde_json with order preservation feature to get a more compressible JSON after workarounds * Work around cyclonedx-bom limitations to produce minified JSON * Also record the dependency kind * cyclonedx-bom: also record PURL * Also write the dependency tree * Clear the serial number in the minimal CycloneDX variant * Prototype impl of auditable2cdx * Fill in auditable2cdx dependencies * Initial auditable2cdx boilerplace * add #![forbid(unsafe_code)] * Initial implementation of auditable-to-cyclonedx conversion * Add the necessary dependencies to auditable-cyclonedx * Initial dummy package for auditable-cyclonedx - Update to version 0.6.2~0: * Update the lockfile * New releases of cargo-auditable and auditable-serde * Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions * Revert 'add commit hashes to git sources' * Fix cyclic dependency graph being encoded * Revert 'An unsuccessful attempt to fix cycles caused by dev-dependencies' * An unsuccessful attempt to fix cycles caused by dev-dependencies * Fix typo * Add comment * Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043 * Fix auditable-serde example not building * upgrade dependency miniz_oxide to 0.6.0 * fix formatting errors * apply clippy lints for --all-features * improve the internal docs and comments * apply clippy lints * add missing sources for one of test fixtures * add commit hashes to git sources * Run all tests on CI * cargo fmt * Run `cargo clean` in tests to get rid of stale binaries * Fix date in changelog * Populate changelog * Bump auditable-info version in rust-audit-info * Add auditable-info changelog * Bump versions following cargo-lock bump * auditable-serde: bump `cargo-lock` to v9 * switch to UNRELEASED * Update CHANGELOG.md * Print a better error if calling rustc fails * Drop unused import * placate Clippy * Don't inject audit info if --print argument is passed to rustc * Reflect the version change in Cargo.lock * Remove space from keywords * bump version to 0.6.1 * Fix date in changelog * Update CHANGELOG.md * Add publish=false * Commit the generated manpage * Add the code for generating a manpage; rather rudimentary so far, but it's a starting point * Explain relation to supply chain attacks * Add keywords to the Cargo manifest * Revert 'generate a man page for cargo auditable' * fix formatting * fix review feedback, relocate file to under OUT_DIR, don't use anyhow and also commit the lock file * generate a man page for cargo auditable * Add Clippy suppression * placate clippy * commit Cargo.lock * Sync to latest object file writing code from rustc * Fix examples in docs * Allow redundant field names * Apply clippy suggestion: match -> if let * Check for clippy and format in CI * Apply clippy suggestions * Run CI with --locked - Update to version 0.6.0~0: * README and documentation improvements * Read the rustc path passed by Cargo; fixes #90 * Read location of Cargo from the environment variable Cargo sets for third-party subcommands * Add a note on sccache version compatibility to CHANGELOG.md * Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error * Specifying the binary-scanning feature is no longer needed * Pass options such as --offline to `cargo metadata` * Pass on arguments from `cargo auditable` invocation to the rustc wrapper; prep work towards fixing #83 * Bump rust-audit-info to 0.5.2 * Bump auditable-serde version to 0.5.2 * Correctly fill in the source even in dependency entries when converting to cargo-lock data format * Drop the roundtrip through str in semver::Version * Release auditable-info 0.6.1 * Bump all the version requirements for things depending on auditable-info * Fix audit_info_from_slice function signature The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-514,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-514,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-514 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260514-1/ Link for SUSE-SU-2026:0514-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024235.html E-Mail link for SUSE-SU-2026:0514-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1257906 SUSE Bug 1257906 https://www.suse.com/security/cve/CVE-2026-25727/ SUSE CVE CVE-2026-25727 page SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP4 cargo-auditable-0.7.2~0-150300.7.6.1 cargo-auditable-0.7.2~0-150300.7.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS cargo-auditable-0.7.2~0-150300.7.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS cargo-auditable-0.7.2~0-150300.7.6.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS cargo-auditable-0.7.2~0-150300.7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack. CVE-2026-25727 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1 SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260514-1/ https://www.suse.com/security/cve/CVE-2026-25727.html CVE-2026-25727 https://bugzilla.suse.com/1257901 SUSE Bug 1257901