advisory-db/Advisories.toml

[[advisory]]
id = "RUSTSEC-2017-0001"
package = "sodiumoxide"
patched_versions = [">= 0.0.14"]
dwf = []
date = "2017-01-26"
url = "https://github.com/dnaq/sodiumoxide/issues/154"
title = "scalarmult() vulnerable to degenerate public keys"
description = """
The `scalarmult()` function included in previous versions of this crate
accepted all-zero public keys, for which the resulting Diffie-Hellman shared
secret will always be zero regardless of the private key used.

This issue was fixed by checking for this class of keys and rejecting them
if they are used.
"""

[[advisory]]
id = "RUSTSEC-2017-0002"
package = "hyper"
patched_versions = [">= 0.10.2", "< 0.10.0, >= 0.9.18"]
dwf = []
date = "2017-01-23"
url = "https://github.com/hyperium/hyper/wiki/Security-001"
title = "headers containing newline characters can split messages"
description = """
Serializing of headers to the socket did not filter the values for newline bytes (\r or \n),
which allowed for header values to split a request or response. People would not likely include
newlines in the headers in their own applications, so the way for most people to exploit this
is if an application constructs headers based on unsanitized user input.

This issue was fixed by replacing all newline characters with a space during serialization of
a header value.
"""

[[advisory]]
id = "RUSTSEC-2017-0003"
package = "security-framework"
patched_versions = [">= 0.1.12"]
dwf = []
date = "2017-03-15"
url = "https://github.com/sfackler/rust-security-framework/pull/27"
title = "Hostname verification skipped when custom root certs used"
description = """
If custom root certificates were registered with a `ClientBuilder`, the
hostname of the target server would not be validated against its presented leaf
certificate.

This issue was fixed by properly configuring the trust evaluation logic to
perform that check.
"""