protobuf 2.6.0 and 1.7.5 released with fix to RUSTSEC-2019-0003

[oherrala]

Upstream issue: stepancheg/rust-protobuf#411

[stepancheg]

I don't know what's the syntax of the file, but I suspect that definition

patched_versions = [">= 1.7.5, >= 2.6.0"] 

matches version 2.5.0 where this issue is not fixed.

From this example I think it should be

patched_versions = ["^1.7.5", ">= 2.6.0"] 

[oherrala]

@stepancheg Seems to work with the current boundaries:

$ cargo update -p protoc-rust --precise 2.5.0
    Updating crates.io index
    Updating protobuf v2.6.0 -> v2.5.0
    Updating protobuf-codegen v2.6.0 -> v2.5.0
    Updating protoc v2.6.0 -> v2.5.0
    Updating protoc-rust v2.6.0 -> v2.5.0
$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 24 security advisories (from /Users/oherrala/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (322 crate dependencies)
error: Vulnerable crates found!

ID:      RUSTSEC-2019-0003
Crate:   protobuf
Version: 2.5.0
Date:    2019-06-08
URL:     https://github.com/stepancheg/rust-protobuf/issues/411
Title:   Out of Memory in stream::read_raw_bytes_into()
Solution: upgrade to: >= 1.7.5, >= 2.6.0

error: 1 vulnerability found!

$ cargo update 
    Updating crates.io index
    Updating protobuf v2.5.0 -> v2.6.0
    Updating protobuf-codegen v2.5.0 -> v2.6.0
    Updating protoc v2.5.0 -> v2.6.0
    Updating protoc-rust v2.5.0 -> v2.6.0
$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 24 security advisories (from /Users/oherrala/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (322 crate dependencies)
     Success No vulnerable packages found