OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-06 19:49:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Advisory: hyper HTTPS MitM due to lack of hostname verification

Browse Source
This commit is contained in:
Tony Arcieri
2017-03-25 14:25:08 -07:00
parent 68c1d72384
commit 8678a77455
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
crates/hyper/RUSTSEC-0000-0000.toml Normal file
View File

@@ -0,0 +1,18 @@
[advisory]
id = "RUSTSEC-0000-0000"
package = "hyper"
patched_versions = [">= 0.9.4"]
references = ["RUSTSEC-2016-0001"]
date = "2016-05-09"
url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09"
title = "HTTPS MitM vulnerability due to lack of hostname verification"
description = """
When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not
perform hostname verification when making HTTPS requests.
This allows an attacker to perform MitM attacks by preventing any valid
CA-issued certificate, even if there's a hostname mismatch.
The problem was addressed by leveraging rust-openssl's built-in support for
hostname verification.
"""