From ffb475d4668b399b61455b6b11b280ba50a6b3f1 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@palantir.com>
Date: Wed, 15 Mar 2017 11:47:14 -0700
Subject: [PATCH] Advisory: security-framework hostname verification bypass

---
 crates/security-framework/RUSTSEC-0000-0000.toml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 crates/security-framework/RUSTSEC-0000-0000.toml

diff --git a/crates/security-framework/RUSTSEC-0000-0000.toml b/crates/security-framework/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..e146a6a
--- /dev/null
+++ b/crates/security-framework/RUSTSEC-0000-0000.toml
@@ -0,0 +1,14 @@
+[advisory]
+package = "security-framework"
+patched_versions = [">= 0.1.12"]
+dwf = []
+url = "https://github.com/sfackler/rust-security-framework/pull/27"
+title = "Hostname verification skipped when custom root certs used"
+description = """
+If custom root certificates were registered with a `ClientBuilder`, the
+hostname of the target server would not be validated against its presented leaf
+certificate.
+
+This issue was fixed by properly configuring the trust evaluation logic to
+perform that check.
+"""