OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-28 23:36:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14 from RustSec/RUSTSEC-2017-0002

Browse Source 
Assign RUSTSEC-2017-0002 to hyper
This commit is contained in:
Tony Arcieri
2017-02-28 09:08:22 -08:00
committed by GitHub
parent 57d1036a95 e867ef7194
commit fb69bfb65b
2 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
Advisories.toml
View File

@@ -14,3 +14,21 @@ secret will always be zero regardless of the private key used.
This issue was fixed by checking for this class of keys and rejecting them
if they are used.
"""
[[advisory]]
id = "RUSTSEC-2017-0002"
package = "hyper"
patched_versions = [">= 0.10.2", "< 0.10.0, >= 0.9.18"]
dwf = []
date = "2017-01-23"
url = "https://github.com/hyperium/hyper/wiki/Security-001"
title = "headers containing newline characters can split messages"
description = """
Serializing of headers to the socket did not filter the values for newline bytes (\r or \n),
which allowed for header values to split a request or response. People would not likely include
newlines in the headers in their own applications, so the way for most people to exploit this
is if an application constructs headers based on unsanitized user input.
This issue was fixed by replacing all newline characters with a space during serialization of
a header value.
"""

1
crates/hyper/RUSTSEC-0000-0000.toml → crates/hyper/RUSTSEC-2017-0002.toml
View File

@@ -2,6 +2,7 @@
package = "hyper"
patched_versions = [">= 0.10.2", "< 0.10.0, >= 0.9.18"]
dwf = []
date = "2017-01-23"
url = "https://github.com/hyperium/hyper/wiki/Security-001"
title = "headers containing newline characters can split messages"
description = """