Security update for cargo-auditable
| Announcement ID: | SUSE-SU-2026:0506-1 |
|---|---|
| Release Date: | 2026-02-13T14:32:18Z |
| Rating: | important |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves one vulnerability can now be installed.
Description:
This update for cargo-auditable fixes the following issues:
Update to version 0.7.2~0.
Security issues fixed:
- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257906).
Other updates and bugfixes:
-
Update to version 0.7.2~0:
-
mention cargo-dist in README
- commit Cargo.lock
- bump which dev-dependency to 8.0.0
- bump object to 0.37
- Upgrade cargo_metadata to 0.23
-
Expand the set of dist platforms in config
-
Update to version 0.7.1~0:
-
Out out of unhelpful clippy lint
- Satisfy clippy
- Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
- Run apt-get update before trying to install packages
- run
cargo dist initon dist 0.30 - Drop allow-dirty from dist config, should no longer be needed
- Reorder paragraphs in README
- Note the maintenance transition for the go extraction library
- Editing pass on the adopters: scanners
- clarify Docker support
- Cargo clippy fix
- Add Wolfi OS and Chainguard to adopters
- Update mentions around Anchore tooling
- README and documentation updates for nightly
- Bump dependency version in rust-audit-info
- More work on docs
- Nicer formatting on format revision documentation
- Bump versions
- regenerate JSON schema
- cargo fmt
- Document format field
- Make it more clear that RawVersionInfo is private
- Add format field to the serialized data
- cargo clippy fix
- Add special handling for proc macros to treat them as the build dependencies they are
- Add a test to ensure proc macros are reported as build dependencies
- Add a test fixture for a crate with a proc macro dependency
- parse fully qualified package ID specs from SBOMs
- select first discovered SBOM file
- cargo sbom integration
- Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
- Don't fail plan workflow due to manually changed release.yml
- Bump Ubuntu version to hopefully fix release.yml workflow
- Add test for stripped binary
- Bump version to 0.6.7
- Populate changelog
- README.md: add auditable2cdx, more consistency in text
- Placate clippy
- Do not emit -Wl if a bare linker is in use
- Get rid of a compiler warning
- Add bare linker detection function
- drop boilerplate from test that's no longer relevant
- Add support for recovering rustc codegen options
- More lenient parsing of rustc arguments
- More descriptive error message in case rustc is killed abruptly
- change formatting to fit rustfmt
- More descriptive error message in case cargo is killed
- Update REPLACING_CARGO.md to fix #195
- Clarify osv-scanner support in README
- Include the command required to view metadata
- Mention wasm-tools support
- Switch from broken generic cache action to a Rust-specific one
- Fill in various fields in auditable2cdx Cargo.toml
- Include osv-scanner in the list, with a caveat
- Add link to blint repo to README
- Mention that blint supports our data
- Consolidate target definitions
- Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
- Migrate to a maintained toolchain action
- Fix author specification
- Add link to repository to resolverver Cargo.toml
- Bump resolverver to 0.1.0
-
Add resolverver crate to the tree
-
Update to version 0.6.6~0:
-
Note the
objectupgrade in the changelog - Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
- Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
- Update dependencies in the lock file
- Populate changelog
- apply clippy lint
- add another --emit parsing test
- shorter code with cargo fmt
- Actually fix cargo-c compatibility
- Attempt to fix cargo-capi incompatibility
- Refactoring in preparation for fixes
- Also read the --emit flag to rustc
- Fill in changelogs
- Bump versions
- Drop cfg'd out tests
- Drop obsolete doc line
- Move dependency cycle tests from auditable-serde to cargo-auditable crate
- Remove cargo_metadata from auditable-serde API surface.
- Apply clippy lint
- Upgrade miniz_oxide to 0.8.0
- Insulate our semver from miniz_oxide semver
- Add support for Rust 2024 edition
- Update tests
- More robust OS detection for riscv feature detection
- bump version
- update changelog for auditable-extract 0.3.5
- Fix wasm component auditable data extraction
- Update blocker description in README.md
- Add openSUSE to adopters
- Update list of know adopters
- Fix detection of
riscv64-linux-androidtarget features - Silence noisy lint
- Bump version requirement in rust-audit-info
- Fill in changelogs
- Bump semver of auditable-info
- Drop obsolete comment now that wasm is enabled by default
- Remove dependency on cargo-lock
- Brag about adoption in the README
- Don't use LTO for cargo-dist builds to make them consistent with
cargo installetc - Also build musl binaries
- dist: update dist config for future releases
- dist(cargo-auditable): ignore auditable2cdx for now
- chore: add cargo-dist
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-506=1
Package List:
-
Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
- cargo-auditable-0.7.2~0-150700.3.5.1
- cargo-auditable-debuginfo-0.7.2~0-150700.3.5.1