Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a close_notify message immediately after client_hello, the server's complete_io will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.The worst case impact for these vulnerabilities can be "Attacker can trigger DOS via infinite loop".
This is the package maintainer's summary.
Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a close_notify message immediately after client_hello, the server's complete_io will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.The worst case impact for these vulnerabilities can be "Attacker can trigger DOS via infinite loop".
How do I fix it?
We recommend updating from 0.21.10 to 0.21.11.