From 3e88fe66c941d411cff5cf49778ba08c2ed93801 Mon Sep 17 00:00:00 2001 From: Marli Frost Date: Tue, 19 Sep 2023 18:55:01 +0100 Subject: [PATCH] in-source vulnerability tracking --- security-advisories/README.md | 7 +++++ security-advisories/zipadvisories.key | 42 +++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 security-advisories/README.md create mode 100644 security-advisories/zipadvisories.key diff --git a/security-advisories/README.md b/security-advisories/README.md new file mode 100644 index 000000000..f11357fed --- /dev/null +++ b/security-advisories/README.md @@ -0,0 +1,7 @@ +# Security Advisories for `zip` + +This folder documents the security vulnerabilities affecting the zip crate. It is currently incomplete: RustSec tracks some old vulnerabilities and you should especially ensure you're using an up-to-date version of bzip2. + +## Reporting + +This folder contains a public key ([./zipadvisories.key]) which may be used for reporting sensitive vulnerabilities to the zip maintainers. At time of writing, @plecra has the decryption key. Sending encrypted reports to marli@frost.red or via a new github issue is greatly appreciated. diff --git a/security-advisories/zipadvisories.key b/security-advisories/zipadvisories.key new file mode 100644 index 000000000..1e5edbf8a --- /dev/null +++ b/security-advisories/zipadvisories.key @@ -0,0 +1,42 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGUJ3MIBDADSpQ2HCWcUYrvNnKEcWHSXbMeWeZwIJuxefRO0MEwp1gQCYR+2 +jQwKkmhPjR8ZEcuooSS1zYl1zZxgvnBVgvkNNZeEA7K6fEg632K85/VKcHLR/ZFQ +T2CtACn2L+7dk75GvNMnTLlw8j9ogxKI8BleVCFA9gxit7lsxVJkS0AoRxfAnwbE +ZTIn7VKvX4zEEIaTF90Fsb33El8vKOOqNpkcwHMFJYkq4D9tWgLku0HDlKTREcTg +c6ySfqUZKdJZM1foGCoMJd3pIiPlF3TRv2iISHMRnFdFZ8nzXGnUOvZQsmNGKoZr +FmaB1RIsGZMe58lFabNekaTZ67ja2eXMcGrZ9cfxgISn4SMHk9DZNzsWVTtqe/ZS ++TbjNBfxoezZWbK+eW9aI+6jWclCymbwnmkGZ6pCGinQ/hPGNH68R6cgM19FFSJR +0dkOS0Inqi/LFX8oFG92HrNqOJU2HJiiJw/CuS+NpsWle+EuKBia0+7bX/J2DTio +EPPLwE/bzW5p3MEAEQEAAbRlbWFybGkgKGVuY3J5cHRpb24ga2V5IGZvciBzZWN1 +cml0eSBhZHZpc29yaWVzIG9uIGNyYXRlcyBvd25lZCBieSBnaXRodWIuY29tL3Bs +ZWNyYSkgPG1hcmxpQGZyb3N0LnJlZD6JAc4EEwEKADgWIQQ8qnkYgARauRpEvXuO +4ShR8uWq+wUCZQncwgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCO4ShR +8uWq+4scC/oCDXs9/toC4jf0KhGx3u9H3o6XMnmtnTB4k4drG8gAmGVbkawY1IXt +uU77FUXEpP1AesmiBNcsxv7RrCElrCdzjS3yfMFDvK+sOP/97qThh5kRg03XKgeK +bEzgX0lTWR2j+keEqx/GtAxeNN65U3B2J6Z5kjl3UAm4TvVR/mmB72HTU8krOr1e +VQGhlE3SXk0QL5aByeH6qaVFm1PSIIJdkZhGBVGAf0Yb32c7/ngUZCpDWbVhmkQg +kFAgYtN49mt3pbe4SI5P3goPc6aitFJ2mCl103QxN3n3hJ8YU/8n92PlxaerfiRt +W10sZGhVc/iC8Qow7ZqtvdIsxciz9y1iAL7N4v4g4jOAtDy6Q/Fajm3+wTy4R8Jj +2nx/Cq/Gk/AHqkvEpAkcUW4iQ2bZFKdpDfi6/phSeoBS+WF3dycsOlLKS90Tvhiw +DYasxuNzwJK0IO8YM+hiId/ziErsKG2CTx9LePToYzgLvA9OJITi4UZm71Jkmuth +5X4duNT+TSq5AY0EZQncwgEMAK0zXJq2mURC0VyM4pTIVkdgIZBR3n0YCgRTtcTQ +IOnoiX9KLT6ZGfMllAEzAacgBqZnw/AGw9lraH3X8gyFH94dntIJEhmcmJ4RYVdl +GchyiQYUSmtqJdTQ3el9TxQ0ec5nst3MHEeaQnUKPYVMJZkIDMg/jzmlyKVb3EOS +QDKfqGhlNU8N0tAwmwyVzKc4rJHuDQOuZbn6u1/X2RBE9jMRFaMHVMG6iZNcjVfC +3HVqa00ZYTR9rZPlVuvlbT1pnZ2DkOKYp9fGd55eL8CHUDd7IFgdRauKIe6XySGM +nIIOdy/vfVNNBdzo8SiWtDs1Um0KvPF97CTcqyCo4wn3howWXP2OIoyif9l/cFwN +a3EBCSSJK/DJ1un0DwtsH8uKyDccwzGmAIMkK7IDVRGlHV7z8UsrdamNTh3CdJn5 +yczsLWDY00vLs7IaT3/ZGzWdoBBX4cClUS3Aru1GWpHBjTH9BQO03t237hnQezLp +ALzwh3pqkjaakmSqTBoYVS06dwARAQABiQG2BBgBCgAgFiEEPKp5GIAEWrkaRL17 +juEoUfLlqvsFAmUJ3MICGwwACgkQjuEoUfLlqvuzQAv8CxuBQiLA4AGki1EUCEvk +xqXbMlBfX+qL1gKnj547lyqnIbjMrhCuJs72gc3vclWNP2tT2XCwsoTs4rZJwccV +NVQzDoJpalckumI1o85ZbBosfl3do8riUXKfQ5CWmoKbiSCziSqm2cB7BqesLjNy +6zu7y0J5qMGjIArDqoS59r9iQfY8tbqq2rcVnCoIrHNLp8WupkGjpsNOWxkg4sZh +v0xOMfrU7v7ErNH+TCEVQzXXFDbc9ppnfBkFBBvlO08O16sAlA2xRnQc+hlM0FdJ +Q8CHklvolWdhbkuLHYRDvYf+MIf0r5F1Bk6Dh7YZkEI9kK5qSOOsZ0TZOPGteMbm +Oseln6bu/TwLHowf4ItYmjYPOeNHGNf91g1X98JdQvyyda0YldAQlz6I4aPzUH07 +XhyezUF1T04aN3T73TZmpRJBC611c7rSh2yw5ED4J/TjNQI8BcTny0wC7Sfi/krc +ory7KoaRpUGG+00fWgTzsd/ktf2pSCKDJGs5S8DDAVhJ +=Cxca +-----END PGP PUBLIC KEY BLOCK-----