Your message dated Mon, 08 Mar 2021 06:48:23 +0000
with message-id <e1lj9gl-000ccq...@fasolo.debian.org>
and subject line Bug#969896: fixed in rust-http 0.1.19-2
has caused the Debian Bug report #969896,
regarding rust-http: Integer Overflow in HeaderMap::reserve() can cause Denial
of Service
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
969896: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969896
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rust-http
Version: 0.1.19-1
Severity: normal
Dear Maintainer,
Versions below 0.1.20 of rust-http have a denial of service vulnerability.
Description of the vulnerability:
HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased
capacity. However, next_power_of_two() silently overflows to 0 if given a
sufficently large number in release mode.
If the map was not empty when the overflow happens, the library will invoke
self.grow(0) and start infinite probing. This allows an attacker who controls
the argument to reserve() to cause a potential denial of service (DoS).
The flaw was corrected in 0.1.20 release of http crate.
Link to advisory: https://rustsec.org/advisories/RUSTSEC-2019-0033.html
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: rust-http
Source-Version: 0.1.19-2
Done: Wolfgang Silbermayr <wolfg...@silbermayr.at>
We believe that the bug you reported is fixed in the latest version of
rust-http, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 969...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Wolfgang Silbermayr <wolfg...@silbermayr.at> (supplier of updated rust-http
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Mar 2021 07:19:34 +0100
Source: rust-http
Architecture: source
Version: 0.1.19-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<pkg-rust-maintain...@alioth-lists.debian.net>
Changed-By: Wolfgang Silbermayr <wolfg...@silbermayr.at>
Closes: 969896
Changes:
rust-http (0.1.19-2) unstable; urgency=medium
.
* Package http 0.1.19 from crates.io using debcargo 2.4.3
* Resolve RUSTSEC-2019-0033 (Closes: #969896)
Checksums-Sha1:
5e0da87c5c0228848c98d3a05c5afc0661bbde78 2501 rust-http_0.1.19-2.dsc
4e020df9f360c3a06c576e05c274435cbf217761 3668 rust-http_0.1.19-2.debian.tar.xz
116b73a946b8db7fb1ca79858e1ea57164ecde0f 7541
rust-http_0.1.19-2_source.buildinfo
Checksums-Sha256:
6f8403329bd5ce4d6d954702c18148706af5b08b06a72aadcbe38439ac6ab07d 2501
rust-http_0.1.19-2.dsc
2780a5a18855e9cad4d401de73140600024f4a50c1ea705d8ceb3e241f25fe3c 3668
rust-http_0.1.19-2.debian.tar.xz
ff11605c07adb41dcb0c26f650c51ecf6277427421b6281d94c3cd166bf6b732 7541
rust-http_0.1.19-2_source.buildinfo
Files:
38f5d384fb029a4160f6ed26cff1dc6e 2501 rust optional rust-http_0.1.19-2.dsc
63c69392bba843988813e4079e7b7f72 3668 rust optional
rust-http_0.1.19-2.debian.tar.xz
1de7841cf317e12d187051d7742c87bc 7541 rust optional
rust-http_0.1.19-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJLBAEBCgA1FiEEz66yQIxXO1E0pjrO1bHTe2DcM9MFAmBFwhAXHHdvbGZnYW5n
QHNpbGJlcm1heXIuYXQACgkQ1bHTe2DcM9Pl6A//eXFKpzIGK7XmxU6vmWA331QY
/tsf0tUGwvXLAFoQtseJAjbDIPO7xZd4vLR7KRw27Awcy/yG9BXhRLzVRhxdCfBl
hZlzdxmTGBT0Vtc453oJmA18rTer0FkV7G/AkXlW9ZynQBD0w8X/+kVjd74mP/1k
GQ5MqGvYfV6E3g2s/PJIuQfSm2I7XSuP1qBaEcuqiQ1cYI3ishvh21W0kLiHPNvF
PWHzwInq5qByOSEwH8+tXtlpJUePO/bJ3xRBOra69N896LDGsDmNfIJYtpWpdDQH
AyCruTntU08FMV+y0o5btmC1X8bO75TwLjL1fO0u/y4PMuJP71TiJiJEguAqv7Ui
+u8YwItQeMpa/dDYGieaOqXBf5FAiSty5CqdmradbrX7hH0cE41R2VprM2kb6U2J
8o5sr7njH18LqEeRhgC4fuYNFNW36Eont4WG99HRxFnb2hFmHHAchvCIEn+65jeb
pEl5RepH8z9OkNJTooUUHssEnFneUA3ldKOh2/CyDC4OTzgTqnzf6XHw33eRMZSZ
PfmfY6bdUXF/KZeUKQVPVedA/Wmoa1mmfi3wKb6heD7L8NAceUEYmA2JU0q53jRy
fuJh5lbZnlFnNvt14ddU4KTyd2d5zkkQr8ZQihWn9O1Z48ZjpXNvDDadqy4931gk
TQPuuBKr+hKOD+5yB/M=
=yCv+
-----END PGP SIGNATURE-----
--- End Message ---
