-
Notifications
You must be signed in to change notification settings - Fork 377
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Assigned RUSTSEC-2021-0079 to hyper (#973)
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
- Loading branch information
1 parent
3a5de9c
commit 82ce1aa
Showing
2 changed files
with
22 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| This file causes merge conflicts if two ID assignment jobs run concurrently. | ||
| This prevents duplicate ID assignment due to a race between those jobs. | ||
| 8774b8ca3f52e5e81096af4b1102d97953873237a02fcda2b894a4980646b5db - | ||
| cff9f66e36ad0e534c0ec14edae51f51b0d9437fee65d73d2e6c1fb360dbe013 - |
42 changes: 21 additions & 21 deletions
42
crates/hyper/RUSTSEC-0000-0000.md → crates/hyper/RUSTSEC-2021-0079.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,21 +1,21 @@ | ||
| ```toml | ||
| [advisory] | ||
| id = "RUSTSEC-0000-0000" | ||
| package = "hyper" | ||
| date = "2021-07-07" | ||
| url = "https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9" | ||
| keywords = ["http", "parsing", "data loss"] | ||
| aliases = ["CVE-2021-32714", "GHSA-5h46-h7hh-c6x9"] | ||
|
|
||
| [versions] | ||
| patched = [">= 0.14.10"] | ||
| ``` | ||
|
|
||
| # Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss | ||
|
|
||
| When decoding chunk sizes that are too large, `hyper`'s code would encounter an integer overflow. Depending on the situation, | ||
| this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack. | ||
|
|
||
| To be vulnerable, you must be using `hyper` for any HTTP/1 purpose, including as a client or server, and consumers must send | ||
| requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible, | ||
| any upstream proxies must accept a chunk size greater than 64 bits. | ||
| ```toml | ||
| [advisory] | ||
| id = "RUSTSEC-2021-0079" | ||
| package = "hyper" | ||
| date = "2021-07-07" | ||
| url = "https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9" | ||
| keywords = ["http", "parsing", "data loss"] | ||
| aliases = ["CVE-2021-32714", "GHSA-5h46-h7hh-c6x9"] | ||
|
|
||
| [versions] | ||
| patched = [">= 0.14.10"] | ||
| ``` | ||
|
|
||
| # Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss | ||
|
|
||
| When decoding chunk sizes that are too large, `hyper`'s code would encounter an integer overflow. Depending on the situation, | ||
| this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack. | ||
|
|
||
| To be vulnerable, you must be using `hyper` for any HTTP/1 purpose, including as a client or server, and consumers must send | ||
| requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible, | ||
| any upstream proxies must accept a chunk size greater than 64 bits. |