mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-01-09 13:09:27 +01:00
64c17acfe3
As announced in #228, this commit migrates all advisories to the new V2 format, which splits version information into a separate section, and now has a structure which corresponds to the internal code structure of the `rustsec` crate. This is a breaking change for users of `cargo-audit` < 0.9, and anyone who has written a 3rd party advisory format parser.
19 lines
755 B
TOML
19 lines
755 B
TOML
[advisory]
|
|
id = "RUSTSEC-2017-0002"
|
|
package = "hyper"
|
|
date = "2017-01-23"
|
|
url = "https://github.com/hyperium/hyper/wiki/Security-001"
|
|
title = "headers containing newline characters can split messages"
|
|
description = """
|
|
Serializing of headers to the socket did not filter the values for newline bytes (`\\r` or `\\n`),
|
|
which allowed for header values to split a request or response. People would not likely include
|
|
newlines in the headers in their own applications, so the way for most people to exploit this
|
|
is if an application constructs headers based on unsanitized user input.
|
|
|
|
This issue was fixed by replacing all newline characters with a space during serialization of
|
|
a header value.
|
|
"""
|
|
|
|
[versions]
|
|
patched = [">= 0.10.2", "< 0.10.0, >= 0.9.18"]
|