[Pkg-rust-maintainers] Bug#1034723: rust-hyper: CVE-2023-26964
Peter Michael Green
plugwash at debian.org
Sun Apr 23 08:57:20 BST 2023
reassign 1034723 rust-h2
thanks
> The following vulnerability was published for rust-hyper.
>
> CVE-2023-26964[0]:
> |/An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking /|/occurs when the H2 component processes HTTP2 RST_STREAM frames. As a /|/result, the memory and CPU usage are high which can lead to a Denial /|/of Service (DoS). /
> https://github.com/hyperium/hyper/issues/2877
> https://github.com/hyperium/h2/commit/5bc8e72e5fcbd8ae2d3d9bc78a1c0ef0040bcc39 (v0.3.17)
I've just read though the github threads, it seems that although
this was initially filed against the hyper crate the actual
issue/fix was in the h2 crate. This has also been filed in the
rustsec database at https://rustsec.org/advisories/RUSTSEC-2023-0034.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20230423/d415ff0a/attachment.htm>
More information about the Pkg-rust-maintainers
mailing list