Add advisory for time

Author: jhpratt

crates/time/RUSTSEC-0000-0000.md

@@ -0,0 +1,42 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "time"
+date = "2026-02-05"
+url = "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05"
+categories = ["denial-of-service"]
+cvss = "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+keywords = ["stack", "exhaustion"]
+aliases = ["CVE-2026-25727", "GHSA-r6v5-fh4h-64xc"]
+
+[affected.functions]
+# for all methods: only when `time::format_description::well_known::Rfc2822` is used as the format
+"time::parsing::Parsed::parse_item" = [">= 0.3.6, < 0.3.47"]
+"time::Date::parse" = [">= 0.3.6, < 0.3.47"]
+"time::Time::parse" = [">= 0.3.6, < 0.3.47"]
+"time::UtcOffset::parse" = [">= 0.3.6, < 0.3.47"]
+"time::PrimitiveDateTime::parse" = [">= 0.3.6, < 0.3.47"]
+"time::OffsetDateTime::parse" = [">= 0.3.6, < 0.3.47"]
+"time::UtcDateTime::parse" = [">= 0.3.38, < 0.3.47"] # type not present until 0.3.38
+
+[versions]
+patched = [">= 0.3.47"]
+unaffected = ["< 0.3.6"]
+```
+
+# Impact
+
+When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
+service attack via stack exhaustion is possible. The attack relies on formally deprecated and
+rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
+non-malicious input will never encounter this scenario.
+
+# Patches
+
+A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
+rather than exhausting the stack.
+
+# Workarounds
+
+Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
+the stack consumed would be at most a factor of the length of the input.