search

EspressoSystems / hotshot-query-service

Generic query service for HotShot applications
https://espressosystems.github.io/hotshot-query-service/
GNU General Public License v3.0
5 stars 1 forks source link

RUSTSEC-2024-0336: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input #541

Open github-actions[bot] opened 6 months ago

github-actions[bot] commented 6 months ago

rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input

Details
Package rustls
Version 0.19.1
URL https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
Date 2024-04-19
Patched versions >=0.23.5,>=0.22.4, <0.23.0,>=0.21.11, <0.22.0

If a close_notify alert is received during a handshake, complete_io does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io and are not affected.

rustls::Stream and rustls::StreamOwned types use complete_io and are affected.

See advisory page for additional details.