OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-06 19:49:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18 from RustSec/hyper-hostname-verification

Browse Source 
Advisory: hyper HTTPS MitM due to lack of hostname verification
This commit is contained in:
Tony Arcieri
2018-07-24 12:39:00 -07:00
committed by GitHub
parent 68c1d72384 07219b8d17
commit c791a95146
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
crates/hyper/RUSTSEC-2016-0002.toml Normal file
View File

@@ -0,0 +1,18 @@
[advisory]
id = "RUSTSEC-2016-0002"
package = "hyper"
patched_versions = [">= 0.9.4"]
references = ["RUSTSEC-2016-0001"]
date = "2016-05-09"
url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09"
title = "HTTPS MitM vulnerability due to lack of hostname verification"
description = """
When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not
perform hostname verification when making HTTPS requests.
This allows an attacker to perform MitM attacks by preventing any valid
CA-issued certificate, even if there's a hostname mismatch.
The problem was addressed by leveraging rust-openssl's built-in support for
hostname verification.
"""