Bugzilla – Bug 1182059
VUL-0: CVE-2021-21299: rust: request smuggling at hyper crate
Last modified: 2022-09-19 10:59:57 UTC
CVE-2021-26959 An issue was discovered in the hyper crate before 0.13.10 and 0.14.x before 0.14.3 for Rust. Request smuggling can occur when more than one Transfer-Encoding header is sent. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26959 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26959 https://rustsec.org/advisories/RUSTSEC-2021-0020.html
hyper is included in the rust packages. We ship version 0.12.31. Tracked as affected: SLE15 and SLE15-SP1 Factory does not ship hyper.
Additional reference https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
Federico - can you look into this.
CVE-2021-26959 was rejected, duplicate of CVE-2021-21299
I've done a scan for the the related CVE: - the following pkgs need SECURITY updates to address RUSTSEC-2021-0020 - svc setup osc bco multimedia:apps/spotifyd osc bco X11:Wayland/tuigreet osc bco X11:Wayland/wayshot Alternately python3 do_bulk_update.py --yolo multimedia:apps/spotifyd X11:Wayland/tuigreet X11:Wayland/wayshot - the following pkgs need SECURITY updates to address RUSTSEC-2021-0020 - manual, missing cargo_vendor osc bco Base:System/dracut osc bco mozilla:Factory/mozjs78 osc bco mozilla:Factory/mozjs91 I am doing the updates for spotify, tuigreet and wayshot. The maintainers of dracut and mozjs will need to be contacted to do their own updates of their vendored elements.
(In reply to William Brown from comment #7) > I've done a scan for the the related CVE: > > - the following pkgs need SECURITY updates to address RUSTSEC-2021-0020 - > svc setup > osc bco multimedia:apps/spotifyd > osc bco X11:Wayland/tuigreet > osc bco X11:Wayland/wayshot > Alternately > python3 do_bulk_update.py --yolo multimedia:apps/spotifyd > X11:Wayland/tuigreet X11:Wayland/wayshot > - the following pkgs need SECURITY updates to address RUSTSEC-2021-0020 - > manual, missing cargo_vendor > osc bco Base:System/dracut > osc bco mozilla:Factory/mozjs78 > osc bco mozilla:Factory/mozjs91 > > > I am doing the updates for spotify, tuigreet and wayshot. > > The maintainers of dracut and mozjs will need to be contacted to do their > own updates of their vendored elements. we also track these as affected: - SUSE:SLE-15:Update/rust - SUSE:SLE-15-SP1:Update/rust Any chance to get a fix there too?
> > The maintainers of dracut and mozjs will need to be contacted to do their > > own updates of their vendored elements. > > we also track these as affected: > > - SUSE:SLE-15:Update/rust > - SUSE:SLE-15-SP1:Update/rust > > Any chance to get a fix there too? They aren't because request smuggling only affects proxying of responses and the rust complier doesn't do this. When these RUSTSEC advisories affect rust itself, the rust programming team release seperate fixes and updates.
Done, closing.