<div class="container">
<h1>Security update for cargo-auditable</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:0514-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-02-13T14:57:18Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257906">bsc#1257906</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-25727.html">CVE-2026-25727</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for cargo-auditable fixes the following issues:</p>
<p>Update to version 0.7.2~0.</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257906).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>
<p>Update to version 0.7.2~0:</p>
</li>
<li>
<p>mention cargo-dist in README</p>
</li>
<li>commit Cargo.lock</li>
<li>bump which dev-dependency to 8.0.0</li>
<li>bump object to 0.37</li>
<li>Upgrade cargo_metadata to 0.23</li>
<li>
<p>Expand the set of dist platforms in config</p>
</li>
<li>
<p>Update to version 0.7.1~0:</p>
</li>
<li>
<p>Out out of unhelpful clippy lint</p>
</li>
<li>Satisfy clippy</li>
<li>Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't</li>
<li>Run apt-get update before trying to install packages</li>
<li>run <code>cargo dist init</code> on dist 0.30</li>
<li>Drop allow-dirty from dist config, should no longer be needed</li>
<li>Reorder paragraphs in README</li>
<li>Note the maintenance transition for the go extraction library</li>
<li>Editing pass on the adopters: scanners</li>
<li>clarify Docker support</li>
<li>Cargo clippy fix</li>
<li>Add Wolfi OS and Chainguard to adopters</li>
<li>Update mentions around Anchore tooling</li>
<li>README and documentation updates for nightly</li>
<li>Bump dependency version in rust-audit-info</li>
<li>More work on docs</li>
<li>Nicer formatting on format revision documentation</li>
<li>Bump versions</li>
<li>regenerate JSON schema</li>
<li>cargo fmt</li>
<li>Document format field</li>
<li>Make it more clear that RawVersionInfo is private</li>
<li>Add format field to the serialized data</li>
<li>cargo clippy fix</li>
<li>Add special handling for proc macros to treat them as the build dependencies they are</li>
<li>Add a test to ensure proc macros are reported as build dependencies</li>
<li>Add a test fixture for a crate with a proc macro dependency</li>
<li>parse fully qualified package ID specs from SBOMs</li>
<li>select first discovered SBOM file</li>
<li>cargo sbom integration</li>
<li>Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out</li>
<li>Don't fail plan workflow due to manually changed release.yml</li>
<li>Bump Ubuntu version to hopefully fix release.yml workflow</li>
<li>Add test for stripped binary</li>
<li>Bump version to 0.6.7</li>
<li>Populate changelog</li>
<li>README.md: add auditable2cdx, more consistency in text</li>
<li>Placate clippy</li>
<li>Do not emit -Wl if a bare linker is in use</li>
<li>Get rid of a compiler warning</li>
<li>Add bare linker detection function</li>
<li>drop boilerplate from test that's no longer relevant</li>
<li>Add support for recovering rustc codegen options</li>
<li>More lenient parsing of rustc arguments</li>
<li>More descriptive error message in case rustc is killed abruptly</li>
<li>change formatting to fit rustfmt</li>
<li>More descriptive error message in case cargo is killed</li>
<li>Update REPLACING_CARGO.md to fix #195</li>
<li>Clarify osv-scanner support in README</li>
<li>Include the command required to view metadata</li>
<li>Mention wasm-tools support</li>
<li>Switch from broken generic cache action to a Rust-specific one</li>
<li>Fill in various fields in auditable2cdx Cargo.toml</li>
<li>Include osv-scanner in the list, with a caveat</li>
<li>Add link to blint repo to README</li>
<li>Mention that blint supports our data</li>
<li>Consolidate target definitions</li>
<li>Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that</li>
<li>Migrate to a maintained toolchain action</li>
<li>Fix author specification</li>
<li>Add link to repository to resolverver Cargo.toml</li>
<li>Bump resolverver to 0.1.0</li>
<li>
<p>Add resolverver crate to the tree</p>
</li>
<li>
<p>Update to version 0.6.6~0:</p>
</li>
<li>
<p>Note the <code>object</code> upgrade in the changelog</p>
</li>
<li>Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx</li>
<li>Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint</li>
<li>Update dependencies in the lock file</li>
<li>Populate changelog</li>
<li>apply clippy lint</li>
<li>add another --emit parsing test</li>
<li>shorter code with cargo fmt</li>
<li>Actually fix cargo-c compatibility</li>
<li>Attempt to fix cargo-capi incompatibility</li>
<li>Refactoring in preparation for fixes</li>
<li>Also read the --emit flag to rustc</li>
<li>Fill in changelogs</li>
<li>Bump versions</li>
<li>Drop cfg'd out tests</li>
<li>Drop obsolete doc line</li>
<li>Move dependency cycle tests from auditable-serde to cargo-auditable crate</li>
<li>Remove cargo_metadata from auditable-serde API surface.</li>
<li>Apply clippy lint</li>
<li>Upgrade miniz_oxide to 0.8.0</li>
<li>Insulate our semver from miniz_oxide semver</li>
<li>Add support for Rust 2024 edition</li>
<li>Update tests</li>
<li>More robust OS detection for riscv feature detection</li>
<li>bump version</li>
<li>update changelog for auditable-extract 0.3.5</li>
<li>Fix wasm component auditable data extraction</li>
<li>Update blocker description in README.md</li>
<li>Add openSUSE to adopters</li>
<li>Update list of know adopters</li>
<li>Fix detection of <code>riscv64-linux-android</code> target features</li>
<li>Silence noisy lint</li>
<li>Bump version requirement in rust-audit-info</li>
<li>Fill in changelogs</li>
<li>Bump semver of auditable-info</li>
<li>Drop obsolete comment now that wasm is enabled by default</li>
<li>Remove dependency on cargo-lock</li>
<li>Brag about adoption in the README</li>
<li>Don't use LTO for cargo-dist builds to make them consistent with <code>cargo install</code> etc</li>
<li>Also build musl binaries</li>
<li>dist: update dist config for future releases</li>
<li>dist(cargo-auditable): ignore auditable2cdx for now</li>
<li>
<p>chore: add cargo-dist</p>
</li>
<li>
<p>Update to version 0.6.4~0:</p>
</li>
<li>
<p>Release cargo-auditable v0.6.4</p>
</li>
<li>Correctly attribute changelog file addition in changelog</li>
<li>Add changelog for auditable-extract</li>
<li>Verify various feature combinations in CI</li>
<li>Upgrade wasmparser to remove dependencies with <code>unsafe</code></li>
<li>Add LoongArch support</li>
<li>cargo fmt</li>
<li>Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages</li>
<li>Expand on the note about WebAssembly parsing</li>
<li>Populate changelogs</li>
<li>Resume bragging about all dependencies being safe, now that there is a caveat below</li>
<li>drop fuzz Cargo.lock to always fuzz against latest versions</li>
<li>Bump <code>cargo auditable</code> version</li>
<li>Mention WASM support in README</li>
<li>Revert "Be super duper extra sure both MinGW and MSVC are tested on CI"</li>
<li>Be super duper extra sure both MinGW and MSVC are tested on CI</li>
<li>Add wasm32 targets to CI for more platforms</li>
<li>Don't pass --target twice in tests</li>
<li>Install WASM toolchain in CI</li>
<li>cargo fmt</li>
<li>Add WASM end-to-end test</li>
<li>cargo fmt</li>
<li>Update documentation to mention the WASM feature</li>
<li>cargo fmt</li>
<li>Plumb WASM parsing feature through the whole stack</li>
<li>Make WASM parsing an optional, non-default feature</li>
<li>Add a fuzzing harness for WASM parsing</li>
<li>Rewritten WASM parsing to avoid heap allocations</li>
<li>Initial WASM extraction support</li>
<li>Nicer assertion</li>
<li>Drop obsolete comment</li>
<li>Clarify that embedding the compiler version has shipped.</li>
<li>Fixed section name for WASM</li>
<li>Unified and more robust platform detection. Fixed wasm build process</li>
<li>Initial WASM support</li>
<li>More robust platform detection for picking the binary format</li>
<li>Fix Windows CI to run both -msvc and -gnu</li>
<li>Use the correct link.exe flag for preserving the specified symbol even if it is unused</li>
<li>Fix Windows</li>
<li>Fix tests on Rust 1.77</li>
<li>Placate clippy</li>
<li>Oopps, I meant components field</li>
<li>Also remove the dependencies field if empty</li>
<li>Use serde_json with order preservation feature to get a more compressible JSON after workarounds</li>
<li>Work around cyclonedx-bom limitations to produce minified JSON</li>
<li>Also record the dependency kind</li>
<li>cyclonedx-bom: also record PURL</li>
<li>Also write the dependency tree</li>
<li>Clear the serial number in the minimal CycloneDX variant</li>
<li>Prototype impl of auditable2cdx</li>
<li>Fill in auditable2cdx dependencies</li>
<li>Initial auditable2cdx boilerplace</li>
<li>add #![forbid(unsafe_code)]</li>
<li>Initial implementation of auditable-to-cyclonedx conversion</li>
<li>Add the necessary dependencies to auditable-cyclonedx</li>
<li>
<p>Initial dummy package for auditable-cyclonedx</p>
</li>
<li>
<p>Update to version 0.6.2~0:</p>
</li>
<li>
<p>Update the lockfile</p>
</li>
<li>New releases of cargo-auditable and auditable-serde</li>
<li>Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions</li>
<li>Revert "add commit hashes to git sources"</li>
<li>Fix cyclic dependency graph being encoded</li>
<li>Revert "An unsuccessful attempt to fix cycles caused by dev-dependencies"</li>
<li>An unsuccessful attempt to fix cycles caused by dev-dependencies</li>
<li>Fix typo</li>
<li>Add comment</li>
<li>Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043</li>
<li>Fix auditable-serde example not building</li>
<li>upgrade dependency miniz_oxide to 0.6.0</li>
<li>fix formatting errors</li>
<li>apply clippy lints for --all-features</li>
<li>improve the internal docs and comments</li>
<li>apply clippy lints</li>
<li>add missing sources for one of test fixtures</li>
<li>add commit hashes to git sources</li>
<li>Run all tests on CI</li>
<li>cargo fmt</li>
<li>Run <code>cargo clean</code> in tests to get rid of stale binaries</li>
<li>Fix date in changelog</li>
<li>Populate changelog</li>
<li>Bump auditable-info version in rust-audit-info</li>
<li>Add auditable-info changelog</li>
<li>Bump versions following cargo-lock bump</li>
<li>auditable-serde: bump <code>cargo-lock</code> to v9</li>
<li>switch to UNRELEASED</li>
<li>Update CHANGELOG.md</li>
<li>Print a better error if calling rustc fails</li>
<li>Drop unused import</li>
<li>placate Clippy</li>
<li>Don't inject audit info if --print argument is passed to rustc</li>
<li>Reflect the version change in Cargo.lock</li>
<li>Remove space from keywords</li>
<li>bump version to 0.6.1</li>
<li>Fix date in changelog</li>
<li>Update CHANGELOG.md</li>
<li>Add publish=false</li>
<li>Commit the generated manpage</li>
<li>Add the code for generating a manpage; rather rudimentary so far, but it's a starting point</li>
<li>Explain relation to supply chain attacks</li>
<li>Add keywords to the Cargo manifest</li>
<li>Revert "generate a man page for cargo auditable"</li>
<li>fix formatting</li>
<li>fix review feedback, relocate file to under OUT_DIR, don't use anyhow and also commit the lock file</li>
<li>generate a man page for cargo auditable</li>
<li>Add Clippy suppression</li>
<li>placate clippy</li>
<li>commit Cargo.lock</li>
<li>Sync to latest object file writing code from rustc</li>
<li>Fix examples in docs</li>
<li>Allow redundant field names</li>
<li>Apply clippy suggestion: match -> if let</li>
<li>Check for clippy and format in CI</li>
<li>Apply clippy suggestions</li>
<li>
<p>Run CI with --locked</p>
</li>
<li>
<p>Update to version 0.6.0~0:</p>
</li>
<li>
<p>README and documentation improvements </p>
</li>
<li>Read the rustc path passed by Cargo; fixes #90</li>
<li>Read location of Cargo from the environment variable Cargo sets for third-party subcommands</li>
<li>Add a note on sccache version compatibility to CHANGELOG.md</li>
<li>Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error</li>
<li>Specifying the binary-scanning feature is no longer needed</li>
<li>Pass options such as --offline to <code>cargo metadata</code></li>
<li>Pass on arguments from <code>cargo auditable</code> invocation to the rustc wrapper; prep work towards fixing #83</li>
<li>Bump rust-audit-info to 0.5.2</li>
<li>Bump auditable-serde version to 0.5.2</li>
<li>Correctly fill in the source even in dependency entries when converting to cargo-lock data format</li>
<li>Drop the roundtrip through str in semver::Version</li>
<li>Release auditable-info 0.6.1</li>
<li>Bump all the version requirements for things depending on auditable-info</li>
<li>Fix audit_info_from_slice function signature</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.3
<br/>
<code>zypper in -t patch SUSE-2026-514=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-514=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-514=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP4 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-514=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-514=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>cargo-auditable-0.7.2~0-150300.7.6.1</li>
<li>cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
<ul>
<li>cargo-auditable-0.7.2~0-150300.7.6.1</li>
<li>cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
<ul>
<li>cargo-auditable-0.7.2~0-150300.7.6.1</li>
<li>cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
<ul>
<li>cargo-auditable-0.7.2~0-150300.7.6.1</li>
<li>cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
<ul>
<li>cargo-auditable-0.7.2~0-150300.7.6.1</li>
<li>cargo-auditable-debuginfo-0.7.2~0-150300.7.6.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-25727.html">https://www.suse.com/security/cve/CVE-2026-25727.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257906">https://bugzilla.suse.com/show_bug.cgi?id=1257906</a>
</li>
</ul>
</div>