<div class="container">
<h1>Security update for cargo-auditable</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:0506-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-02-13T14:32:18Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257906">bsc#1257906</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-25727.html">CVE-2026-25727</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Development Tools Module 15-SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for cargo-auditable fixes the following issues:</p>
<p>Update to version 0.7.2~0.</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257906).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>
<p>Update to version 0.7.2~0:</p>
</li>
<li>
<p>mention cargo-dist in README</p>
</li>
<li>commit Cargo.lock</li>
<li>bump which dev-dependency to 8.0.0</li>
<li>bump object to 0.37</li>
<li>Upgrade cargo_metadata to 0.23</li>
<li>
<p>Expand the set of dist platforms in config</p>
</li>
<li>
<p>Update to version 0.7.1~0:</p>
</li>
<li>
<p>Out out of unhelpful clippy lint</p>
</li>
<li>Satisfy clippy</li>
<li>Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't</li>
<li>Run apt-get update before trying to install packages</li>
<li>run <code>cargo dist init</code> on dist 0.30</li>
<li>Drop allow-dirty from dist config, should no longer be needed</li>
<li>Reorder paragraphs in README</li>
<li>Note the maintenance transition for the go extraction library</li>
<li>Editing pass on the adopters: scanners</li>
<li>clarify Docker support</li>
<li>Cargo clippy fix</li>
<li>Add Wolfi OS and Chainguard to adopters</li>
<li>Update mentions around Anchore tooling</li>
<li>README and documentation updates for nightly</li>
<li>Bump dependency version in rust-audit-info</li>
<li>More work on docs</li>
<li>Nicer formatting on format revision documentation</li>
<li>Bump versions</li>
<li>regenerate JSON schema</li>
<li>cargo fmt</li>
<li>Document format field</li>
<li>Make it more clear that RawVersionInfo is private</li>
<li>Add format field to the serialized data</li>
<li>cargo clippy fix</li>
<li>Add special handling for proc macros to treat them as the build dependencies they are</li>
<li>Add a test to ensure proc macros are reported as build dependencies</li>
<li>Add a test fixture for a crate with a proc macro dependency</li>
<li>parse fully qualified package ID specs from SBOMs</li>
<li>select first discovered SBOM file</li>
<li>cargo sbom integration</li>
<li>Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out</li>
<li>Don't fail plan workflow due to manually changed release.yml</li>
<li>Bump Ubuntu version to hopefully fix release.yml workflow</li>
<li>Add test for stripped binary</li>
<li>Bump version to 0.6.7</li>
<li>Populate changelog</li>
<li>README.md: add auditable2cdx, more consistency in text</li>
<li>Placate clippy</li>
<li>Do not emit -Wl if a bare linker is in use</li>
<li>Get rid of a compiler warning</li>
<li>Add bare linker detection function</li>
<li>drop boilerplate from test that's no longer relevant</li>
<li>Add support for recovering rustc codegen options</li>
<li>More lenient parsing of rustc arguments</li>
<li>More descriptive error message in case rustc is killed abruptly</li>
<li>change formatting to fit rustfmt</li>
<li>More descriptive error message in case cargo is killed</li>
<li>Update REPLACING_CARGO.md to fix #195</li>
<li>Clarify osv-scanner support in README</li>
<li>Include the command required to view metadata</li>
<li>Mention wasm-tools support</li>
<li>Switch from broken generic cache action to a Rust-specific one</li>
<li>Fill in various fields in auditable2cdx Cargo.toml</li>
<li>Include osv-scanner in the list, with a caveat</li>
<li>Add link to blint repo to README</li>
<li>Mention that blint supports our data</li>
<li>Consolidate target definitions</li>
<li>Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that</li>
<li>Migrate to a maintained toolchain action</li>
<li>Fix author specification</li>
<li>Add link to repository to resolverver Cargo.toml</li>
<li>Bump resolverver to 0.1.0</li>
<li>
<p>Add resolverver crate to the tree</p>
</li>
<li>
<p>Update to version 0.6.6~0:</p>
</li>
<li>
<p>Note the <code>object</code> upgrade in the changelog</p>
</li>
<li>Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx</li>
<li>Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint</li>
<li>Update dependencies in the lock file</li>
<li>Populate changelog</li>
<li>apply clippy lint</li>
<li>add another --emit parsing test</li>
<li>shorter code with cargo fmt</li>
<li>Actually fix cargo-c compatibility</li>
<li>Attempt to fix cargo-capi incompatibility</li>
<li>Refactoring in preparation for fixes</li>
<li>Also read the --emit flag to rustc</li>
<li>Fill in changelogs</li>
<li>Bump versions</li>
<li>Drop cfg'd out tests</li>
<li>Drop obsolete doc line</li>
<li>Move dependency cycle tests from auditable-serde to cargo-auditable crate</li>
<li>Remove cargo_metadata from auditable-serde API surface.</li>
<li>Apply clippy lint</li>
<li>Upgrade miniz_oxide to 0.8.0</li>
<li>Insulate our semver from miniz_oxide semver</li>
<li>Add support for Rust 2024 edition</li>
<li>Update tests</li>
<li>More robust OS detection for riscv feature detection</li>
<li>bump version</li>
<li>update changelog for auditable-extract 0.3.5</li>
<li>Fix wasm component auditable data extraction</li>
<li>Update blocker description in README.md</li>
<li>Add openSUSE to adopters</li>
<li>Update list of know adopters</li>
<li>Fix detection of <code>riscv64-linux-android</code> target features</li>
<li>Silence noisy lint</li>
<li>Bump version requirement in rust-audit-info</li>
<li>Fill in changelogs</li>
<li>Bump semver of auditable-info</li>
<li>Drop obsolete comment now that wasm is enabled by default</li>
<li>Remove dependency on cargo-lock</li>
<li>Brag about adoption in the README</li>
<li>Don't use LTO for cargo-dist builds to make them consistent with <code>cargo install</code> etc</li>
<li>Also build musl binaries</li>
<li>dist: update dist config for future releases</li>
<li>dist(cargo-auditable): ignore auditable2cdx for now</li>
<li>chore: add cargo-dist</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Development Tools Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-506=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cargo-auditable-0.7.2~0-150700.3.5.1</li>
<li>cargo-auditable-debuginfo-0.7.2~0-150700.3.5.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-25727.html">https://www.suse.com/security/cve/CVE-2026-25727.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257906">https://bugzilla.suse.com/show_bug.cgi?id=1257906</a>
</li>
</ul>
</div>