Bug #19731
Updated by Alexis Mousset over 2 years ago
h2. RUSTSEC-2021-0079 https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9 > For a possible request smuggling attack to be possible, any upstream proxies must accept a chunk size greater than 64 bits. Apache prevents sizes > 64bits since 2015: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2015-3183 h2. RUSTSEC-2021-0078 https://github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c > To be vulnerable, hyper must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents but still forwards it. Due to all the factors that must line up, an attack exploiting this vulnerability is unlikely. Apache 2.4 parses @Content-Length@ headers answer with plus sign like hyper. a @400 Bad Request@.