Bug #19731
closed
Two vulnerabilities in hyper
Description
RUSTSEC-2021-0079¶
https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9
For a possible request smuggling attack to be possible, any upstream proxies must accept a chunk size greater than 64 bits.
Apache prevents sizes > 64bits since 2015: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2015-3183
RUSTSEC-2021-0078¶
https://github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c
To be vulnerable, hyper must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents but still forwards it. Due to all the factors that must line up, an attack exploiting this vulnerability is unlikely.
Apache 2.4 parses Content-Length headers with plus sign like hyper.
Updated by Alexis Mousset over 3 years ago
- Status changed from New to In progress
Updated by Alexis Mousset over 3 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/3794
Updated by Alexis Mousset over 3 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|e2115318cdf9e2ce305cdc888b07495d662f1767.
Updated by Vincent MEMBRÉ about 3 years ago
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ about 3 years ago
This bug has been fixed in Rudder 6.1.16 and 6.2.10 which were released today.
Updated by Alexis Mousset over 2 years ago
- Target version changed from 6.1.16 to 6.2.16
Updated by Alexis Mousset over 2 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.2.16, 7.0.5 and 7.1.3 which were released today.