From 8678a7745551221e115eb96cb73b54c2d3975302 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sat, 25 Mar 2017 14:25:08 -0700
Subject: [PATCH] Advisory: hyper HTTPS MitM due to lack of hostname
 verification

---
 crates/hyper/RUSTSEC-0000-0000.toml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 crates/hyper/RUSTSEC-0000-0000.toml

diff --git a/crates/hyper/RUSTSEC-0000-0000.toml b/crates/hyper/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..16f01b3
--- /dev/null
+++ b/crates/hyper/RUSTSEC-0000-0000.toml
@@ -0,0 +1,18 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hyper"
+patched_versions = [">= 0.9.4"]
+references = ["RUSTSEC-2016-0001"]
+date = "2016-05-09"
+url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09"
+title = "HTTPS MitM vulnerability due to lack of hostname verification"
+description = """
+When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not
+perform hostname verification when making HTTPS requests.
+
+This allows an attacker to perform MitM attacks by preventing any valid
+CA-issued certificate, even if there's a hostname mismatch.
+
+The problem was addressed by leveraging rust-openssl's built-in support for
+hostname verification.
+"""