Bugzilla – Bug 1223217
VUL-0: CVE-2024-32650: flake-pilot: rust-rustls: Infinite loop in rustls:conn:ConnectionCommon:complete_io() with proper client input
Last modified: 2024-06-25 15:07:33 UTC
flake-pilot embeds rust-rustls: Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-32650 https://bugzilla.redhat.com/show_bug.cgi?id=2276085 https://www.cve.org/CVERecord?id=CVE-2024-32650 https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e https://github.com/rustls/rustls/commit/f45664fbded03d833dffd806503d3c8becd1b71e https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
Thanks, it seems the mentioned versions are not yet available in the crate index e.g failed to select a version for the requirement `rustls = "^0.21.21"` I guess a little bit of waiting is needed prior the vendor tarball will pick up the fix
Since this is not fixable in the code Marcus wrote, could the security team advise on how to take care of this?
>Since this is not fixable I rechecked today and the crate index has changed with an update rustls variant. I will submit a package
created request id 1179039
This is an autogenerated message for OBS integration: This bug (1223217) was mentioned in https://build.opensuse.org/request/show/1179039 Factory / flake-pilot
submission to TW done