Add advisory for time

jhpratt · jhpratt · commit 736138191688 · 2026-02-05T02:29:36.000-05:00
diff --git a/crates/time/RUSTSEC-0000-0000.md b/crates/time/RUSTSEC-0000-0000.md
@@ -0,0 +1,23 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "time"
+date = "2026-02-05"
+url = "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05"
+categories = ["denial-of-service"]
+cvss = "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+keywords = ["stack", "exhaustion"]
+aliases = ["GHSA-r6v5-fh4h-64xc"] # CVE pending
+
+[affected.functions]
+# for all methods: only when `time::format_description::well_known::Rfc2822` is used as the format
+"time::parsing::Parsed::parse_item" = [">= 0.3.6", < 0.3.47"]
+"time::Date::parse" = [">= 0.3.6", < 0.3.47"]
+"time::Time::parse" = [">= 0.3.6", < 0.3.47"]
+"time::UtcOffset::parse" = [">= 0.3.6", < 0.3.47"]
+"time::PrimitiveDateTime::parse" = [">= 0.3.6", < 0.3.47"]
+"time::OffsetDateTime::parse" = [">= 0.3.6", < 0.3.47"]
+"time::UtcDateTime::parse" = [">= 0.3.38", < 0.3.47"] # type not present until 0.3.38
+
+[versions]
+patched = [">= 0.3.47"]
+unaffected = ["< 0.3.6"]
