Merge pull request #221 from roy-work/roy/fix-http-affected-ranges

Correct affected version range on RUSTSEC-2019-003[34] to patched at 0.1.20
2026-01-20 02:21:00 +01:00 · 2020-01-09 14:56:31 -05:00
parent 289948245e 200651cff2
commit 4d051434f0
2 changed files with 6 additions and 6 deletions
--- a/crates/http/RUSTSEC-2019-0033.toml
+++ b/crates/http/RUSTSEC-2019-0033.toml
@@ -13,12 +13,12 @@ the library will invoke `self.grow(0)` and start infinite probing.
 This allows an attacker who controls the argument to `reserve()`
 to cause a potential denial of service (DoS).

-The flaw was corrected in 0.2.0 release of `http` crate.
+The flaw was corrected in 0.1.20 release of `http` crate.
 """
-patched_versions = [">= 0.2.0"]
+patched_versions = [">= 0.1.20"]
 url = "https://github.com/hyperium/http/issues/352"
 categories = ["denial-of-service"]
 keywords = ["http", "integer-overflow", "DoS"]

 [affected.functions]
-"http::header::HeaderMap::reserve" = ["< 0.2.0"]
+"http::header::HeaderMap::reserve" = ["< 0.1.20"]
--- a/crates/http/RUSTSEC-2019-0034.toml
+++ b/crates/http/RUSTSEC-2019-0034.toml
@@ -10,11 +10,11 @@ which introduced unsoundness in its public safe API.
 [Failing to drop the Drain struct causes double-free](https://github.com/hyperium/http/issues/354),
 and [it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation](https://github.com/hyperium/http/issues/355).

-The flaw was corrected in 0.2.0 release of `http` crate.
+The flaw was corrected in 0.1.20 release of `http` crate.
 """
-patched_versions = [">= 0.2.0"]
+patched_versions = [">= 0.1.20"]
 categories = ["memory-corruption"]
 keywords = ["memory-safety", "double-free", "unsound"]

 [affected.functions]
-"http::header::HeaderMap::drain" = ["< 0.2.0"]
+"http::header::HeaderMap::drain" = ["< 0.1.20"]