OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-07 20:17:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix patched version for RUSTSEC-2020-0008

Browse Source 
The vulnerability description for advisory RUSTSEC-2020-0008, "Flaw in
hyper allows request smuggling by sending a body in GET requests", lists
an incorrect patched version. The advisory states that the vulnerability
was fixed in `hyper` 0.12.35, but `hyper`'s changelog [shows][1] that 
the patch (hyperium/hyper@23fc8b0) was published in 0.12.34. I believe
that this means that `cargo audit` will incorrectly report patched 
versions as vulnerable.

This PR corrects the listed version.

[1]: https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v01234-2019-09-04
This commit is contained in:
Eliza Weisman
2020-03-31 10:41:53 -07:00
committed by GitHub
parent 35d4b225d4
commit 9889ed0831
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
crates/hyper/RUSTSEC-2020-0008.toml
View File

@@ -20,8 +20,8 @@ runtime. This allows bypassing CORS restrictions. In combination with other
vulnerabilities, such as an exploitable web server listening on loopback, it may
allow remote code execution.
The flaw was corrected in hyper version 0.12.35.
The flaw was corrected in hyper version 0.12.34.
"""
[versions]
patched = [">= 0.12.35"]
patched = [">= 0.12.34"]