Merge branch 'rustsec:main' into main

Author: charlesxsh

.duplicate-id-guard

@@ -1,3 +1,3 @@
 This file causes merge conflicts if two ID assignment jobs run concurrently.
 This prevents duplicate ID assignment due to a race between those jobs.
-0e609c43a313fd0a283b59b46bea5f3f670a2d409f772f86117a3ef2d7297ce4  -
+31a8abd8cc612f6b98d74d057b6404593b695fc8824cd6fb0236e21eaa7b4b39  -

.github/workflows/assign-ids.yml

@@ -9,7 +9,7 @@ jobs:
     name: Assign IDs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
 
     - name: Cache cargo bin
       id: admin-cache

.github/workflows/export-osv.yml

@@ -8,7 +8,7 @@ jobs:
   publish-web:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: osv
 

.github/workflows/publish-web.yml

@@ -8,7 +8,7 @@ jobs:
   publish-web:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: gh-pages
 

.github/workflows/sync-ids.yml

@@ -11,7 +11,7 @@ jobs:
     name: Synchronize IDs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
 
     - name: Cache cargo bin
       id: admin-cache

.github/workflows/validate.yml

@@ -10,7 +10,7 @@ jobs:
     name: Lint advisories
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
 
     - name: Cache cargo bin
       id: admin-cache

CONTRIBUTING.md

@@ -13,7 +13,7 @@ To add an advisory to the RustSec database, open a [Pull Request] against
 3. Write a human-readable Markdown description in the same file, after the <code>\```</code> marker and a newline. Use [this example advisory][example] as a reference.
 4. Open a [Pull Request]. After being reviewed your advisory will be assigned
    a `RUSTSEC-*` advisory identifier and be published to the database.
-   
+
 ### Optional Steps
 
 Feel free to do either or both of these as you see fit (we recommend you do both):
@@ -55,13 +55,11 @@ When in doubt, please open a PR.
 A: No, anyone can file an advisory against any crate. The legitimacy of
     vulnerabilities will be determined prior to merging. If a vulnerability
     turns out to be fake, it will be removed from the database.
-    
+
 **Q: Can I file an advisory without creating a pull request?**
 
 A: Yes, instead of creating a full advisory yourself, you can also
-   [open an issue on the advisory-db repo](https://github.com/RustSec/advisory-db/issues)
-   or email information about the vulnerability to
-   [[email protected]](mailto:[email protected]).
+   [open an issue on the advisory-db repo](https://github.com/RustSec/advisory-db/issues).
 
 **Q: Does this project have a GPG key or other means of handling embargoed vulnerabilities?**
 

HOWTO_UNMAINTAINED.md

@@ -71,6 +71,10 @@ When creating the advisory, please include a link to an open issue
 on the upstream project repository where the maintenance status has been
 discussed in the `url = "..."` field of the advisory.
 
+If the upstream project repository has issues disabled, or if an upstream
+issue does not adequately explain the circumstances, please include
+`url = "..."` linking to an issue in the `advisory-db` project.
+
 For more information on adding an advisory to the RustSec DB, see:
 
 <https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md>

crates/adler/RUSTSEC-2025-0056.md

@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0056"
+package = "adler"
+date = "2025-09-05"
+url = "https://github.com/jonas-schievink/adler"
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# adler crate is unmaintained, use adler2 instead
+
+The `adler` crate is no longer actively maintained. If you rely on this crate, consider switching to a maintained alternative.
+
+## Recommended alternatives
+
+- [`adler2`](https://crates.io/crates/adler2)

crates/ammonia/RUSTSEC-2025-0071.md

@@ -0,0 +1,39 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0071"
+package = "ammonia"
+date = "2025-09-21"
+categories = ["format-injection"]
+keywords = ["html", "xss"]
+
+[versions]
+patched = [">= 4.1.2", ">= 4.0.1, < 4.1.0", ">= 3.3.1, < 4.0.0"]
+```
+
+# Incorrect handling of embedded SVG and MathML leads to mutation XSS after removal
+
+Affected versions of this crate did not correctly strip namespace-incompatible tags
+in certain situations, causing it to incorrectly account for differences between HTML,
+SVG, and MathML.
+
+This vulnerability only has an effect when the `svg` or `math` tag is allowed,
+because it relies on a tag being parsed as html during the cleaning process, but
+serialized in a way that causes in to be parsed as xml by the browser.
+
+Additionally, the application using this library must allow a tag that is parsed as raw text in HTML.
+These [elements] are:
+
+* title
+* textarea
+* xmp
+* iframe
+* noembed
+* noframes
+* plaintext
+* noscript
+* style
+* script
+
+Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.
+
+[elements]: https://github.com/servo/html5ever/blob/57eb334c0ffccc6f88d563419f0fbeef6ff5741c/html5ever/src/tree_builder/rules.rs