Add link to ignored vulns

OBS-URL: https://build.opensuse.org/package/show/network/arti?expand=0&rev=8
2023-11-14 20:25:00 +00:00 · 2023-11-14 20:25:00 +00:00 · a1ebac571b
commit a1ebac571b
parent ed582c3c6b
2 changed files with 42 additions and 2 deletions
--- a/40
+++ b/40
@ -15,7 +15,47 @@
        <param name="srcdir">arti</param>
        <param name="compression">zst</param>
        <param name="update">true</param>
+
+        <!-- From
+        https://gitlab.torproject.org/tpo/core/arti/-/blob/58f578f9097b090b289f4ea59488044796428daf/maint/cargo_audit
+        -->
+
+        <!--
+        This is a real but theoretical unaligned read.  It might happen only on
+        Windows and only with a custom global allocator, which we don't do in our
+        arti binary.  The bad crate is depended on by env-logger and clap.
+        This is being discussed by those crates' contributors here:
+            https://github.com/clap-rs/clap/pull/4249
+            https://github.com/rust-cli/env_logger/pull/246
+        -->
+        <param name="i-accept-the-risk">RUSTSEC-2021-0145</param>
+
+        <!--
+        This is an API vulnerability in ed25519-dalek v1.x.x, to the
+        extent that it does not force you to store private and public
+        keys as a single keypair.
+
+        We have desigend our APIs to work around this, and believe we
+        are not affected.  We should eventually upgrade to
+        ed25519-dalek >= 2, however.
+        -->
        <param name="i-accept-the-risk">RUSTSEC-2022-0093</param>
+
+        <!--
+        This is a DOS vulnerability against rustls-webpki (only some versions)
+        and webpki (all versions) where some cert chains can cause
+        ridiculous CPU usage.
+
+        We've upgraded our rustls-webpki usage, but webpki (which is
+        unmaintained) is still used by tls-api, which we use from
+        arti-hyper.
+
+        I've opened https://github.com/stepancheg/rust-tls-api/issues/45
+        for this issue, but I'm not sure whether `tls-api` is maintained.
+
+        See https://gitlab.torproject.org/tpo/core/arti/-/issues/1016
+        -->
+        <param name="i-accept-the-risk">RUSTSEC-2023-0052</param>
    </service>
    <service name="cargo_audit" mode="manual">
        <param name="srcdir">arti</param>
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:6a5322875c1e187e74ed6d1f18229ccb979afdee95947c26320294c10e78f188
-size 52565982
+oid sha256:bf9b1bcb5b9222003bfb4f4abfbf0b2b6b87b6366d08596977d2a8993a456df4
+size 52740477