Improve wording and typography in May 13 advisories#2877
Conversation
|
Not sure what GitHub is trying to tell me here. |
For me it look like this: The error is because the keys of entries in |
|
Fixed, thanks for the advice. It turns out that the broken output in GitHub Actions was due to NoScript blocking |
|
Please squash the changes from your last commit back into the originating commits. |
djc
left a comment
djc
left a comment
There was a problem hiding this comment.
Thanks for the careful review.
Some of these changes err on the side of being overly pedantic to me, and in the future I don't think submitting PRs to fix capitalization or reflow lines are worth my review time. On the other hand, adding the affected functions and improving (or removing) the informational status is definitely valuable.
Do you want to help improve
to cover some of this stuff?
| # Unsound access to padding bytes while deserializing date/time values using the MySQL backend | ||
|
|
||
| This affects any usage of the following functions with a `AsyncMysqlConnection` provided by diesel-async: | ||
| `diesel-async` uses the `mysql-async` crate for interacting with |
There was a problem hiding this comment.
Please do not reflow in the same commit as changing wording, as that makes it very hard to review.
|
|
||
| In libcrux-ml-dsa, hint decoding did not check the boundedness of the | ||
| cumulative hint counter of the last row of the hint vector. | ||
| In `libcrux-ml-dsa`, hint decoding did not check the boundedness of |
There was a problem hiding this comment.
I don't think quoting crate names makes sense.
The removal of informational status is due to this being an actively hazardous out-of-bounds access, rather than an instance of undefined behavior that may or may not manifest as a real vunerability.
3 participants
This PR includes the following improvements to several of the advisories that were assigned numbers today, as well as all of Diesel's 2026 vulnerabilities:
[affected.functions])Additionally, RUSTSEC-2026-0133 has had its "informational" label removed, as it is a guaranteed out-of-bounds access that affects all users of the crate, not requiring it to be used in some unintended or buggy way.