Debian Bug report logs -
#1069677
rust-rustls: CVE-2024-32650
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Jonas Smedegaard <dr@jones.dk>
:
Bug#1069677
; Package src:rust-rustls
.
(Mon, 22 Apr 2024 14:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Jonas Smedegaard <dr@jones.dk>
.
(Mon, 22 Apr 2024 14:45:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rust-rustls
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for rust-rustls.
CVE-2024-32650[0]:
| Rustls is a modern TLS library written in Rust.
| `rustls::ConnectionCommon::complete_io` could fall into an infinite
| loop based on network input. When using a blocking rustls server, if
| a client send a `close_notify` message immediately after
| `client_hello`, the server's `complete_io` will get in an infinite
| loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.
https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5)
https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5)
https://rustsec.org/advisories/RUSTSEC-2024-0336.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-32650
https://www.cve.org/CVERecord?id=CVE-2024-32650
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 23 Apr 2024 06:48:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 23 11:54:38 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.