Security update for cargo-auditable

Announcement ID: SUSE-SU-2026:0514-1
Release Date: 2026-02-13T14:57:18Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2026-25727 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2026-25727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2026-25727 ( NVD ): 6.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
  • openSUSE Leap 15.3
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server 15 SP4 LTSS
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4

An update that solves one vulnerability can now be installed.

Description:

This update for cargo-auditable fixes the following issues:

Update to version 0.7.2~0.

Security issues fixed:

  • CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257906).

Other updates and bugfixes:

  • Update to version 0.7.2~0:

  • mention cargo-dist in README

  • commit Cargo.lock
  • bump which dev-dependency to 8.0.0
  • bump object to 0.37
  • Upgrade cargo_metadata to 0.23

  • Expand the set of dist platforms in config

  • Update to version 0.7.1~0:

  • Out out of unhelpful clippy lint

  • Satisfy clippy
  • Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
  • Run apt-get update before trying to install packages
  • run cargo dist init on dist 0.30
  • Drop allow-dirty from dist config, should no longer be needed
  • Reorder paragraphs in README
  • Note the maintenance transition for the go extraction library
  • Editing pass on the adopters: scanners
  • clarify Docker support
  • Cargo clippy fix
  • Add Wolfi OS and Chainguard to adopters
  • Update mentions around Anchore tooling
  • README and documentation updates for nightly
  • Bump dependency version in rust-audit-info
  • More work on docs
  • Nicer formatting on format revision documentation
  • Bump versions
  • regenerate JSON schema
  • cargo fmt
  • Document format field
  • Make it more clear that RawVersionInfo is private
  • Add format field to the serialized data
  • cargo clippy fix
  • Add special handling for proc macros to treat them as the build dependencies they are
  • Add a test to ensure proc macros are reported as build dependencies
  • Add a test fixture for a crate with a proc macro dependency
  • parse fully qualified package ID specs from SBOMs
  • select first discovered SBOM file
  • cargo sbom integration
  • Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
  • Don't fail plan workflow due to manually changed release.yml
  • Bump Ubuntu version to hopefully fix release.yml workflow
  • Add test for stripped binary
  • Bump version to 0.6.7
  • Populate changelog
  • README.md: add auditable2cdx, more consistency in text
  • Placate clippy
  • Do not emit -Wl if a bare linker is in use
  • Get rid of a compiler warning
  • Add bare linker detection function
  • drop boilerplate from test that's no longer relevant
  • Add support for recovering rustc codegen options
  • More lenient parsing of rustc arguments
  • More descriptive error message in case rustc is killed abruptly
  • change formatting to fit rustfmt
  • More descriptive error message in case cargo is killed
  • Update REPLACING_CARGO.md to fix #195
  • Clarify osv-scanner support in README
  • Include the command required to view metadata
  • Mention wasm-tools support
  • Switch from broken generic cache action to a Rust-specific one
  • Fill in various fields in auditable2cdx Cargo.toml
  • Include osv-scanner in the list, with a caveat
  • Add link to blint repo to README
  • Mention that blint supports our data
  • Consolidate target definitions
  • Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
  • Migrate to a maintained toolchain action
  • Fix author specification
  • Add link to repository to resolverver Cargo.toml
  • Bump resolverver to 0.1.0

  • Add resolverver crate to the tree

  • Update to version 0.6.6~0:

  • Note the object upgrade in the changelog

  • Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
  • Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
  • Update dependencies in the lock file
  • Populate changelog
  • apply clippy lint
  • add another --emit parsing test
  • shorter code with cargo fmt
  • Actually fix cargo-c compatibility
  • Attempt to fix cargo-capi incompatibility
  • Refactoring in preparation for fixes
  • Also read the --emit flag to rustc
  • Fill in changelogs
  • Bump versions
  • Drop cfg'd out tests
  • Drop obsolete doc line
  • Move dependency cycle tests from auditable-serde to cargo-auditable crate
  • Remove cargo_metadata from auditable-serde API surface.
  • Apply clippy lint
  • Upgrade miniz_oxide to 0.8.0
  • Insulate our semver from miniz_oxide semver
  • Add support for Rust 2024 edition
  • Update tests
  • More robust OS detection for riscv feature detection
  • bump version
  • update changelog for auditable-extract 0.3.5
  • Fix wasm component auditable data extraction
  • Update blocker description in README.md
  • Add openSUSE to adopters
  • Update list of know adopters
  • Fix detection of riscv64-linux-android target features
  • Silence noisy lint
  • Bump version requirement in rust-audit-info
  • Fill in changelogs
  • Bump semver of auditable-info
  • Drop obsolete comment now that wasm is enabled by default
  • Remove dependency on cargo-lock
  • Brag about adoption in the README
  • Don't use LTO for cargo-dist builds to make them consistent with cargo install etc
  • Also build musl binaries
  • dist: update dist config for future releases
  • dist(cargo-auditable): ignore auditable2cdx for now

  • chore: add cargo-dist

  • Update to version 0.6.4~0:

  • Release cargo-auditable v0.6.4

  • Correctly attribute changelog file addition in changelog
  • Add changelog for auditable-extract
  • Verify various feature combinations in CI
  • Upgrade wasmparser to remove dependencies with unsafe
  • Add LoongArch support
  • cargo fmt
  • Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages
  • Expand on the note about WebAssembly parsing
  • Populate changelogs
  • Resume bragging about all dependencies being safe, now that there is a caveat below
  • drop fuzz Cargo.lock to always fuzz against latest versions
  • Bump cargo auditable version
  • Mention WASM support in README
  • Revert "Be super duper extra sure both MinGW and MSVC are tested on CI"
  • Be super duper extra sure both MinGW and MSVC are tested on CI
  • Add wasm32 targets to CI for more platforms
  • Don't pass --target twice in tests
  • Install WASM toolchain in CI
  • cargo fmt
  • Add WASM end-to-end test
  • cargo fmt
  • Update documentation to mention the WASM feature
  • cargo fmt
  • Plumb WASM parsing feature through the whole stack
  • Make WASM parsing an optional, non-default feature
  • Add a fuzzing harness for WASM parsing
  • Rewritten WASM parsing to avoid heap allocations
  • Initial WASM extraction support
  • Nicer assertion
  • Drop obsolete comment
  • Clarify that embedding the compiler version has shipped.
  • Fixed section name for WASM
  • Unified and more robust platform detection. Fixed wasm build process
  • Initial WASM support
  • More robust platform detection for picking the binary format
  • Fix Windows CI to run both -msvc and -gnu
  • Use the correct link.exe flag for preserving the specified symbol even if it is unused
  • Fix Windows
  • Fix tests on Rust 1.77
  • Placate clippy
  • Oopps, I meant components field
  • Also remove the dependencies field if empty
  • Use serde_json with order preservation feature to get a more compressible JSON after workarounds
  • Work around cyclonedx-bom limitations to produce minified JSON
  • Also record the dependency kind
  • cyclonedx-bom: also record PURL
  • Also write the dependency tree
  • Clear the serial number in the minimal CycloneDX variant
  • Prototype impl of auditable2cdx
  • Fill in auditable2cdx dependencies
  • Initial auditable2cdx boilerplace
  • add #![forbid(unsafe_code)]
  • Initial implementation of auditable-to-cyclonedx conversion
  • Add the necessary dependencies to auditable-cyclonedx

  • Initial dummy package for auditable-cyclonedx

  • Update to version 0.6.2~0:

  • Update the lockfile

  • New releases of cargo-auditable and auditable-serde
  • Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions
  • Revert "add commit hashes to git sources"
  • Fix cyclic dependency graph being encoded
  • Revert "An unsuccessful attempt to fix cycles caused by dev-dependencies"
  • An unsuccessful attempt to fix cycles caused by dev-dependencies
  • Fix typo
  • Add comment
  • Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043
  • Fix auditable-serde example not building
  • upgrade dependency miniz_oxide to 0.6.0
  • fix formatting errors
  • apply clippy lints for --all-features
  • improve the internal docs and comments
  • apply clippy lints
  • add missing sources for one of test fixtures
  • add commit hashes to git sources
  • Run all tests on CI
  • cargo fmt
  • Run cargo clean in tests to get rid of stale binaries
  • Fix date in changelog
  • Populate changelog
  • Bump auditable-info version in rust-audit-info
  • Add auditable-info changelog
  • Bump versions following cargo-lock bump
  • auditable-serde: bump cargo-lock to v9
  • switch to UNRELEASED
  • Update CHANGELOG.md
  • Print a better error if calling rustc fails
  • Drop unused import
  • placate Clippy
  • Don't inject audit info if --print argument is passed to rustc
  • Reflect the version change in Cargo.lock
  • Remove space from keywords
  • bump version to 0.6.1
  • Fix date in changelog
  • Update CHANGELOG.md
  • Add publish=false
  • Commit the generated manpage
  • Add the code for generating a manpage; rather rudimentary so far, but it's a starting point
  • Explain relation to supply chain attacks
  • Add keywords to the Cargo manifest
  • Revert "generate a man page for cargo auditable"
  • fix formatting
  • fix review feedback, relocate file to under OUT_DIR, don't use anyhow and also commit the lock file
  • generate a man page for cargo auditable
  • Add Clippy suppression
  • placate clippy
  • commit Cargo.lock
  • Sync to latest object file writing code from rustc
  • Fix examples in docs
  • Allow redundant field names
  • Apply clippy suggestion: match -> if let
  • Check for clippy and format in CI
  • Apply clippy suggestions

  • Run CI with --locked

  • Update to version 0.6.0~0:

  • README and documentation improvements

  • Read the rustc path passed by Cargo; fixes #90
  • Read location of Cargo from the environment variable Cargo sets for third-party subcommands
  • Add a note on sccache version compatibility to CHANGELOG.md
  • Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error
  • Specifying the binary-scanning feature is no longer needed
  • Pass options such as --offline to cargo metadata
  • Pass on arguments from cargo auditable invocation to the rustc wrapper; prep work towards fixing #83
  • Bump rust-audit-info to 0.5.2
  • Bump auditable-serde version to 0.5.2
  • Correctly fill in the source even in dependency entries when converting to cargo-lock data format
  • Drop the roundtrip through str in semver::Version
  • Release auditable-info 0.6.1
  • Bump all the version requirements for things depending on auditable-info
  • Fix audit_info_from_slice function signature

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.3
    zypper in -t patch SUSE-2026-514=1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-514=1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-514=1
  • SUSE Linux Enterprise Server 15 SP4 LTSS
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-514=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-514=1

Package List:

  • openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
    • cargo-auditable-0.7.2~0-150300.7.6.1
    • cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
    • cargo-auditable-0.7.2~0-150300.7.6.1
    • cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
    • cargo-auditable-0.7.2~0-150300.7.6.1
    • cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1
  • SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
    • cargo-auditable-0.7.2~0-150300.7.6.1
    • cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
    • cargo-auditable-0.7.2~0-150300.7.6.1
    • cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1

References: