Add advisory for buffered-reader

[nwalfield]

Attacker-controlled input can lead to an out-of-bounds index, which causes buffered-reader to panic. This has been fixed in versions 1.2.0, 1.1.5, and 1.0.2 of buffered-reader.

[nwalfield]

CI is failing with:

12 | [versions]
   | ^^^^^^^^^^
bad parameter: Overlapping version ranges: [1.0.2, 2.0.0-0) and [1.1.5, 2.0.0-0)

I have:

[versions]
patched = [">= 1.2.0"]

# The fixes were backported to these versions (1.0.1 is in Debian
# Stable and 1.1.4 is in Debian Testing).
unaffected = ["1.0.2", "1.1.5"]

I guess that is wrong. I'd appreciate help for articulating that all versions are affected except 1.2.0, 1.1.5 and 1.0.2, which I just released and include the required fixes.

[amousset]

Thanks for reporting these! This should be the correct way to indicate these version ranges.

[nwalfield]

Thanks for the help. I indeed misunderstood the meaning of unaffected. I think your suggestions are reasonable. If no one else gets to it by Tuesday, then I'll do it then, I'll submit an updated patch.