Actions
Bug #18903
closed
Vulnerabilities in relayd hyper dependency
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
Description
07:42:33 error[A001]: Multiple Transfer-Encoding headers misinterprets request payload 07:42:33 ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:76:1 07:42:33 │ 07:42:33 76 │ hyper 0.12.35 registry+https://github.com/rust-lang/crates.io-index 07:42:33 │ ------------------------------------------------------------------- security vulnerability detected 07:42:33 │ 07:42:33 = ID: RUSTSEC-2021-0020 07:42:33 = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0020 07:42:33 = hyper's HTTP server code had a flaw that incorrectly understands some requests 07:42:33 with multiple transfer-encoding headers to have a chunked payload, when it 07:42:33 should have been rejected as illegal. This combined with an upstream HTTP proxy 07:42:33 that understands the request payload boundary differently can result in 07:42:33 "request smuggling" or "desync attacks". 07:42:33 = Announcement: https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf 07:42:33 = Solution: Upgrade to >=0.14.3 OR >=0.13.10, <0.14.0 07:42:33 = hyper v0.12.35 07:42:33 ├── hyper-tls v0.3.2 07:42:33 │ └── reqwest v0.9.24 07:42:33 │ └── relayd v0.0.0-dev 07:42:33 ├── relayd v0.0.0-dev (*) 07:42:33 ├── reqwest v0.9.24 (*) 07:42:33 └── warp v0.1.22 07:42:33 └── relayd v0.0.0-dev (*)
Updated by 
Updated by
Actions