search

GothenburgBitFactory / taskwarrior

Taskwarrior - Command line Task Management
https://taskwarrior.org
MIT License
4.49k stars 309 forks source link

RUSTSEC-2024-0399: rustls network-reachable panic in `Acceptor::accept` #3702

Open github-actions[bot] opened 12 hours ago

github-actions[bot] commented 12 hours ago

rustls network-reachable panic in Acceptor::accept

Details
Package rustls
Version 0.23.14
URL https://github.com/rustls/rustls/issues/2227
Date 2024-11-22
Patched versions >=0.23.18
Unaffected versions >=0.23, <0.23.13,<0.23

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented. Only servers that use rustls::server::Acceptor::accept() are affected.

Servers that use tokio-rustls's LazyConfigAcceptor API are affected.

Servers that use tokio-rustls's TlsAcceptor API are not affected.

Servers that use rustls-ffi's rustls_acceptor_accept API are affected.

See advisory page for additional details.

djmitche commented 12 hours ago

We don't use the affected methods, and only talk to trusted servers anyway. We should still upgrade, but not urgently.