Merge pull request #17 from RustSec/RUSTSEC-2017-0003

Assign RUSTSEC-2017-0003 to security-framework
2025-12-28 15:28:09 +01:00 · 2017-03-15 22:37:09 -07:00
parent 7148181bb8 e6b5f1a74f
commit 7e9846989a
2 changed files with 18 additions and 0 deletions
--- a/Advisories.toml
+++ b/Advisories.toml
@@ -32,3 +32,20 @@ is if an application constructs headers based on unsanitized user input.
 This issue was fixed by replacing all newline characters with a space during serialization of
 a header value.
 """
+
+[[advisory]]
+id = "RUSTSEC-2017-0003"
+package = "security-framework"
+patched_versions = [">= 0.1.12"]
+dwf = []
+date = "2017-03-15"
+url = "https://github.com/sfackler/rust-security-framework/pull/27"
+title = "Hostname verification skipped when custom root certs used"
+description = """
+If custom root certificates were registered with a `ClientBuilder`, the
+hostname of the target server would not be validated against its presented leaf
+certificate.
+
+This issue was fixed by properly configuring the trust evaluation logic to
+perform that check.
+"""
--- a/crates/security-framework/RUSTSEC-2017-0003.toml
+++ b/crates/security-framework/RUSTSEC-2017-0003.toml
@@ -2,6 +2,7 @@
 package = "security-framework"
 patched_versions = [">= 0.1.12"]
 dwf = []
+date = "2017-03-15"
 url = "https://github.com/sfackler/rust-security-framework/pull/27"
 title = "Hostname verification skipped when custom root certs used"
 description = """