add hyper uninitialized memory advisory

[RalfJung]

Adds an advisory for the fix in hyperium/hyper#2545.

[Shnatsel]

Uninit memory turned into references may lead to dangling pointers in practice. I'd bump it from informational = unsound to an advisory.

Also I'd like to get sign-off from @seanmonstar so that they don't get a security advisory out of the blue

[RalfJung]

I am pretty sure the crate never dereferences that uninit pointer. It was unused. But it had a type which indicated it should be non-null. (In theory the compiler might have introduced spurious loads from that pointer, but we have no evidence of that actually happening.)

[Shnatsel]

Alright. Since it's an old issue and is only informational = unsound, i.e. a warning, I'll go ahead and merge it without maintainer sign-off.

[Shnatsel]

Thanks a lot for reporting!

[seanmonstar]

I wouldn't call it a vulnerability myself. The compiler could have done a thing, but it never did. I don't see any reason to warn people, warnings can fatigue.

[RalfJung]

The compiler could have done a thing, but it never did.

That's exactly what the "unsound" category is for, I think. It's informational, not a vulnerability.
Quite a few crates came up still depending on old hyper in the crater run rust-lang/rust#87041 so I feel nudging the ecosystem a bit more might be a good idea...