From c55cf597e8cebf64ee8d37721dea3c8708b0c96e Mon Sep 17 00:00:00 2001
From: Sean McArthur <sean@seanmonstar.com>
Date: Fri, 5 Feb 2021 14:57:30 -0800
Subject: [PATCH] Add hyper wrong transfer-encoding advisory

---
 crates/hyper/RUSTSEC-0000-0000.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 crates/hyper/RUSTSEC-0000-0000.md

diff --git a/crates/hyper/RUSTSEC-0000-0000.md b/crates/hyper/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..1289ff6
--- /dev/null
+++ b/crates/hyper/RUSTSEC-0000-0000.md
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hyper"
+date = "2021-02-05"
+url = "https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf"
+categories = ["format-injection"]
+keywords = ["http", "request-smuggling"]
+aliases = ["CVE-2021-21299"]
+
+[versions]
+patched = [">= 0.14.3", "0.13.10"]
+unaffected = ["< 0.12.0"]
+```
+
+# Multiple Transfer-Encoding headers misinterprets request payload
+
+hyper's HTTP server code had a flaw that incorrectly understands some requests
+with multiple transfer-encoding headers to have a chunked payload, when it
+should have been rejected as illegal. This combined with an upstream HTTP proxy
+that understands the request payload boundary differently can result in
+"request smuggling" or "desync attacks".