Project

General

Profile

Actions

Bug #19731

closed

Two vulnerabilities in hyper

Added by Alexis Mousset over 3 years ago. Updated over 2 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

RUSTSEC-2021-0079

https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9

For a possible request smuggling attack to be possible, any upstream proxies must accept a chunk size greater than 64 bits.

Apache prevents sizes > 64bits since 2015: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2015-3183

RUSTSEC-2021-0078

https://github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c

To be vulnerable, hyper must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents but still forwards it. Due to all the factors that must line up, an attack exploiting this vulnerability is unlikely.

Apache 2.4 parses Content-Length headers with plus sign like hyper.


Subtasks 1 (0 open1 closed)

Bug #19732: Two vulnerabilities in hyper - fixed in 7.0ReleasedNicolas CHARLESActions
Actions #1

Updated by Alexis Mousset over 3 years ago

  • Description updated (diff)
Actions #2

Updated by Alexis Mousset over 3 years ago

  • Status changed from New to In progress
Actions #3

Updated by Alexis Mousset over 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/3794
Actions #4

Updated by Alexis Mousset over 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #5

Updated by Vincent MEMBRÉ over 3 years ago

  • Fix check changed from To do to Checked
Actions #6

Updated by Vincent MEMBRÉ over 3 years ago

This bug has been fixed in Rudder 6.1.16 and 6.2.10 which were released today.

Actions #7

Updated by Alexis Mousset over 2 years ago

  • Target version changed from 6.1.16 to 6.2.16
Actions #8

Updated by Alexis Mousset over 2 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.2.16, 7.0.5 and 7.1.3 which were released today.

Actions

Also available in: Atom PDF