Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add hyper request smuggling vulnerability #255

Merged
merged 3 commits into from
Mar 31, 2020
Merged

Add hyper request smuggling vulnerability #255

merged 3 commits into from
Mar 31, 2020

Conversation

Demi-Marie
Copy link
Contributor

No description provided.

@Shnatsel
Copy link
Member

Thanks for the report!

Please remove all the comments in the file (anything starting with #).

Also, I'd describe the effect as privilege escalation or ACL bypass. You need some other component to be vulnerable to get code execution.

@Demi-Marie
Note that another vulnerability is needed for RCE
91eed85 
Also make some trivial changes to pass the linter.
@Shnatsel Shnatsel mentioned this pull request Mar 30, 2020
Closed
@tarcieri
Copy link
Member

Per @Shnatsel's comment on hyperium/hyper#1925 I'll leave this PR open briefly to collect any additional comments or review

@tarcieri tarcieri merged commit 66112b3 into rustsec:master Mar 31, 2020
tarcieri added a commit that referenced this pull request Mar 31, 2020
@tarcieri
Assign RUSTSEC-2020-0008 to hyper
6053e3a 
Original PR: #255
@tarcieri tarcieri mentioned this pull request Mar 31, 2020
Merged
@tarcieri
Copy link
Member

Assigned RUSTSEC-2020-0008 in #256

hawkw
hawkw reviewed Mar 31, 2020
View reviewed changes
crates/hyper/RUSTSEC-0000-0000.toml
Comment on lines +23 to +27
The flaw was corrected in hyper version 0.12.35.
"""

[versions]
patched = [">= 0.12.35"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the version listed here is incorrect; the vulnerability was fixed in 0.12.34.

@jethrogb
Copy link

jethrogb commented Apr 8, 2020

Are versions prior to 0.11 affected?

@Shnatsel
Copy link
Member

Shnatsel commented Apr 8, 2020

Versions below 0.11 are not affected. The advisory was later updated with this info: https://github.com/RustSec/advisory-db/blob/master/crates/hyper/RUSTSEC-2020-0008.toml

@jethrogb
Copy link

jethrogb commented Apr 8, 2020

Looks like https://rustsec.org/advisories/RUSTSEC-2020-0008.html hasn't been updated though.

@tarcieri
Copy link
Member

tarcieri commented Apr 8, 2020

Should be updated now. Sorry about that.

(I should really look into automating the web site generation with GitHub Actions)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hawkw hawkw hawkw left review comments

@tarcieri tarcieri tarcieri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Demi-Marie @Shnatsel @tarcieri @jethrogb @hawkw