From 8678a7745551221e115eb96cb73b54c2d3975302 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Sat, 25 Mar 2017 14:25:08 -0700 Subject: [PATCH 1/2] Advisory: hyper HTTPS MitM due to lack of hostname verification --- crates/hyper/RUSTSEC-0000-0000.toml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 crates/hyper/RUSTSEC-0000-0000.toml diff --git a/crates/hyper/RUSTSEC-0000-0000.toml b/crates/hyper/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..16f01b3 --- /dev/null +++ b/crates/hyper/RUSTSEC-0000-0000.toml @@ -0,0 +1,18 @@ +[advisory] +id = "RUSTSEC-0000-0000" +package = "hyper" +patched_versions = [">= 0.9.4"] +references = ["RUSTSEC-2016-0001"] +date = "2016-05-09" +url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09" +title = "HTTPS MitM vulnerability due to lack of hostname verification" +description = """ +When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not +perform hostname verification when making HTTPS requests. + +This allows an attacker to perform MitM attacks by preventing any valid +CA-issued certificate, even if there's a hostname mismatch. + +The problem was addressed by leveraging rust-openssl's built-in support for +hostname verification. +""" From 07219b8d17536d1594314e5b5cfb49539260af26 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Tue, 24 Jul 2018 12:33:49 -0700 Subject: [PATCH 2/2] Assign RUSTSEC-2016-0002 to hyper Original PR: https://github.com/RustSec/advisory-db/pull/18 --- crates/hyper/{RUSTSEC-0000-0000.toml => RUSTSEC-2016-0002.toml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename crates/hyper/{RUSTSEC-0000-0000.toml => RUSTSEC-2016-0002.toml} (96%) diff --git a/crates/hyper/RUSTSEC-0000-0000.toml b/crates/hyper/RUSTSEC-2016-0002.toml similarity index 96% rename from crates/hyper/RUSTSEC-0000-0000.toml rename to crates/hyper/RUSTSEC-2016-0002.toml index 16f01b3..3735ea1 100644 --- a/crates/hyper/RUSTSEC-0000-0000.toml +++ b/crates/hyper/RUSTSEC-2016-0002.toml @@ -1,5 +1,5 @@ [advisory] -id = "RUSTSEC-0000-0000" +id = "RUSTSEC-2016-0002" package = "hyper" patched_versions = [">= 0.9.4"] references = ["RUSTSEC-2016-0001"]