diff --git a/crates/rustls-webpki/RUSTSEC-0000-0000.md b/crates/rustls-webpki/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..b6bff39 --- /dev/null +++ b/crates/rustls-webpki/RUSTSEC-0000-0000.md @@ -0,0 +1,31 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "rustls-webpki" +date = "2023-08-22" +categories = ["denial-of-service"] +keywords = ["certificate", "path building", "x509"] +cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" +related = ["CVE-2018-16875"] + +[versions] +patched = [">= 0.100.2, < 0.101.0", ">= 0.101.4"] + +``` + +# rustls-webpki: CPU denial of service in certificate path building + +When this crate is given a pathological certificate chain to validate, it will +spend CPU time exponential with the number of candidate certificates at each +step of path building. + +Both TLS clients and TLS servers that accept client certificate are affected. + +We now give each path building operation a budget of 100 signature verifications. + +The original `webpki` crate is also affected. + +This was previously reported in the original crate + and re-reported to us +recently by Luke Malinowski. + diff --git a/crates/webpki/RUSTSEC-0000-0000.md b/crates/webpki/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..fb61897 --- /dev/null +++ b/crates/webpki/RUSTSEC-0000-0000.md @@ -0,0 +1,28 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "webpki" +date = "2023-08-22" +categories = ["denial-of-service"] +keywords = ["certificate", "path building", "x509"] +cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" +related = ["CVE-2018-16875"] + +[versions] +patched = [] +``` + +# webpki: CPU denial of service in certificate path building + +When this crate is given a pathological certificate chain to validate, it will +spend CPU time exponential with the number of candidate certificates at each +step of path building. + +Both TLS clients and TLS servers that accept client certificate are affected. + +This was previously reported in + and re-reported recently +by Luke Malinowski. + +`rustls-webpki` is a fork of this crate which contains a fix for this issue +and is actively maintained.