OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-20 18:41:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19 from RustSec/rust-openssl-hostname-verification

Browse Source 
Advisory: rust-openssl hostname verification
This commit is contained in:
Tony Arcieri
2018-07-24 11:05:31 -07:00
committed by GitHub
parent 607d038c42 09e3a9eb76
commit 68c1d72384
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
crates/openssl/RUSTSEC-2016-0001.toml Normal file
View File

@@ -0,0 +1,20 @@
[advisory]
id = "RUSTSEC-2016-0001"
package = "openssl"
patched_versions = [">= 0.9.0"]
date = "2016-11-05"
url = "https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
title = "SSL/TLS MitM vulnerability due to insecure defaults"
description = """
All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults
including off-by-default certificate verification and no API to perform hostname
verification.
Unless configured correctly by a developer, these defaults could allow an attacker
to perform man-in-the-middle attacks.
The problem was addressed in newer versions by enabling certificate verification
by default and exposing APIs to perform hostname verification. Use the
`SslConnector` and `SslAcceptor` types to take advantage of these new features
(as opposed to the lower-level `SslContext` type).
"""