1180572 – (CVE-2020-35863) VUL-0: CVE-2020-35863: rust: An HTTP request smuggling issue was discovered in the hyper crate before 0.12.34 for Rust

Bug 1180572 (CVE-2020-35863) - VUL-0: CVE-2020-35863: rust: An HTTP request smuggling issue was discovered in the hyper crate before 0.12.34 for Rust

Summary: VUL-0: CVE-2020-35863: rust: An HTTP request smuggling issue was discovered i...

Status:	RESOLVED FIXED

Alias:	CVE-2020-35863

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assignee:	William Brown
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/274349/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-35863:7.7:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-01-05 12:52 UTC by Robert Frohl
Modified:	2022-10-21 07:06 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-01-05 12:52:11 UTC

CVE-2020-35863

An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request
smuggling can occur. Remote code execution can occur in certain situations with
an HTTP server on the loopback interface.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35863
https://rustsec.org/advisories/RUSTSEC-2020-0008.html

Comment 1 Robert Frohl 2021-01-05 12:53:19 UTC

rust embeds hyper 0.12.31, therefor these codestreams are affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust

Comment 2 Scott Reeves 2021-03-02 18:40:51 UTC

Can you take this Federico...

Comment 3 Robert Frohl 2022-01-21 12:25:58 UTC

seems that hyper was removed with version 1.46.0 (by 6654c5852f76d6b55ebdacc0d428cad5b3dbdbed)

Which means SLE15-SP3 is not affected, because rust1.43 is out of support. SLE15 and SLE15-SP1 are now on 1.53.

Comment 4 Robert Frohl 2022-01-21 12:26:30 UTC

closing

Comment 5 Marcus Meissner 2022-10-21 07:06:22 UTC

all hyper crates are at least 0.12.36 or newer, so fixed.

openSUSE:Factory,afterburn,hyper,0.14.17
openSUSE:Factory,aws-nitro-enclaves-cli,hyper,0.14.16
openSUSE:Factory,deno,hyper,0.14.19
openSUSE:Factory,deno,hyper,0.14.20
openSUSE:Factory,fractal,hyper,0.14.5
openSUSE:Factory,gnome-podcasts,hyper,0.14.16
openSUSE:Factory,gstreamer-plugins-rs,hyper,0.14.20
openSUSE:Factory,kanidm,hyper,0.14.20
openSUSE:Factory,lapce,hyper,0.14.19
openSUSE:Factory,ncspot,hyper,0.14.20
openSUSE:Factory,pijul,hyper,0.14.18
openSUSE:Factory,rust-keylime,hyper,0.14.19
openSUSE:Factory,rust-keylime,hyper,0.14.20
openSUSE:Factory,rustup,hyper,0.14.20
openSUSE:Factory,sccache,hyper,0.14.19
openSUSE:Factory,sccache,hyper,0.14.5
openSUSE:Factory,spotifyd,hyper,0.13.10
openSUSE:Factory,spotifyd,hyper,0.14.20
openSUSE:Factory,tealdeer,hyper,0.14.19
openSUSE:Factory,tectonic,hyper,0.12.36
openSUSE:Factory,tectonic,hyper,0.14.20
openSUSE:Factory,wasm-pack,hyper,0.12.36
openSUSE:Factory,wezterm,hyper,0.14.20
openSUSE:Factory,zola,hyper,0.14.20
SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,hyper,0.14.11
SUSE:SLE-15-SP3:Update,rustup,hyper,0.14.13
SUSE:SLE-15-SP3:Update,sccache,hyper,0.12.36
SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,hyper,0.14.16
SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,hyper,0.14.17
SUSE:SLE-15-SP4:Update,rustup,hyper,0.14.13
SUSE:SLE-15-SP4:Update,sccache,hyper,0.12.36