OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-28 15:28:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Advisory: openssl <0.9.0 may be vulnerable to MitM due to weak defaults

Browse Source
This commit is contained in:
Tony Arcieri
2017-03-25 14:32:37 -07:00
parent 607d038c42
commit 72a4178ca1
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
crates/openssl/RUSTSEC-0000-0000.toml Normal file
View File

@@ -0,0 +1,20 @@
[advisory]
id = "RUSTSEC-0000-0000"
package = "openssl"
patched_versions = [">= 0.9.0"]
date = "2016-11-05"
url = "https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
title = "SSL/TLS MitM vulnerability due to insecure defaults"
description = """
All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults
including off-by-default certificate verification and no API to perform hostname
verification.
Unless configured correctly by a developer, these defaults could allow an attacker
to perform man-in-the-middle attacks.
The problem was addressed in newer versions by enabling certificate verification
by default and exposing APIs to perform hostname verification. Use the
`SslConnector` and `SslAcceptor` types to take advantage of these new features
(as opposed to the lower-level `SslContext` type).
"""