mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-01-10 13:41:11 +01:00
64c17acfe3
As announced in #228, this commit migrates all advisories to the new V2 format, which splits version information into a separate section, and now has a structure which corresponds to the internal code structure of the `rustsec` crate. This is a breaking change for users of `cargo-audit` < 0.9, and anyone who has written a 3rd party advisory format parser.
26 lines
777 B
TOML
26 lines
777 B
TOML
[advisory]
|
|
id = "RUSTSEC-2016-0002"
|
|
package = "hyper"
|
|
date = "2016-05-09"
|
|
url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09"
|
|
title = "HTTPS MitM vulnerability due to lack of hostname verification"
|
|
categories = ["crypto-failure"]
|
|
keywords = ["ssl", "mitm"]
|
|
references = ["RUSTSEC-2016-0001"]
|
|
description = """
|
|
When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not
|
|
perform hostname verification when making HTTPS requests.
|
|
|
|
This allows an attacker to perform MitM attacks by preventing any valid
|
|
CA-issued certificate, even if there's a hostname mismatch.
|
|
|
|
The problem was addressed by leveraging rust-openssl's built-in support for
|
|
hostname verification.
|
|
"""
|
|
|
|
[affected]
|
|
os = ["windows"]
|
|
|
|
[versions]
|
|
patched = [">= 0.9.4"]
|