Project

General

Profile

Actions

Bug #18903

closed

Vulnerabilities in relayd hyper dependency

Added by Alexis Mousset almost 4 years ago. Updated over 3 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description


07:42:33 error[A001]: Multiple Transfer-Encoding headers misinterprets request payload
07:42:33    ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:76:1
07:42:33    │
07:42:33 76 │ hyper 0.12.35 registry+https://github.com/rust-lang/crates.io-index
07:42:33    │ ------------------------------------------------------------------- security vulnerability detected
07:42:33    │
07:42:33    = ID: RUSTSEC-2021-0020
07:42:33    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0020
07:42:33    = hyper's HTTP server code had a flaw that incorrectly understands some requests
07:42:33      with multiple transfer-encoding headers to have a chunked payload, when it
07:42:33      should have been rejected as illegal. This combined with an upstream HTTP proxy
07:42:33      that understands the request payload boundary differently can result in
07:42:33      "request smuggling" or "desync attacks".
07:42:33    = Announcement: https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
07:42:33    = Solution: Upgrade to >=0.14.3 OR >=0.13.10, <0.14.0
07:42:33    = hyper v0.12.35
07:42:33      ├── hyper-tls v0.3.2
07:42:33      │   └── reqwest v0.9.24
07:42:33      │       └── relayd v0.0.0-dev
07:42:33      ├── relayd v0.0.0-dev (*)
07:42:33      ├── reqwest v0.9.24 (*)
07:42:33      └── warp v0.1.22
07:42:33          └── relayd v0.0.0-dev (*)
Actions #1

Updated by Alexis Mousset almost 4 years ago

  • Subject changed from Vulnerabilities in relayd dependencies to Vulnerabilities in relayd hyper dependency
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset almost 4 years ago

Advisory: https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf

We are on branch 0.12 which did not have a patched version for this (only 0.13 and 0.14).

Actions #3

Updated by Alexis Mousset almost 4 years ago

  • Status changed from New to In progress
Actions #4

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 6.1.10 to 6.1.11
Actions #5

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 6.1.11 to 6.1.12
Actions #6

Updated by Alexis Mousset over 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/3559
Actions #7

Updated by Alexis Mousset over 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #8

Updated by Vincent MEMBRÉ over 3 years ago

  • Fix check changed from To do to Checked
Actions #9

Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.1.12 and 6.2.5 which were released today.

Actions

Also available in: Atom PDF