Bug#1069677: marked as done (rust-rustls: CVE-2024-32650)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2024 13:49:15 +0000
with message-id <e1sh1sb-004fx7...@fasolo.debian.org>
and subject line Bug#1069677: fixed in rust-rustls 0.21.12-1
has caused the Debian Bug report #1069677,
regarding rust-rustls: CVE-2024-32650
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1069677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069677
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: rust-rustls
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for rust-rustls.

CVE-2024-32650[0]:
| Rustls is a modern TLS library written in Rust.
| `rustls::ConnectionCommon::complete_io` could fall into an infinite
| loop based on network input. When using a blocking rustls server, if
| a client send a `close_notify` message immediately after
| `client_hello`, the server's `complete_io` will get in an infinite
| loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.

https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d
 (v/0.23.5)
https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e
 (v/0.23.5)
https://rustsec.org/advisories/RUSTSEC-2024-0336.html


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-32650
    https://www.cve.org/CVERecord?id=CVE-2024-32650

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: rust-rustls
Source-Version: 0.21.12-1
Done: Jonas Smedegaard <d...@jones.dk>

We believe that the bug you reported is fixed in the latest version of
rust-rustls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1069...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated rust-rustls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Jun 2024 15:15:06 +0200
Source: rust-rustls
Architecture: source
Version: 0.21.12-1
Distribution: unstable
Urgency: medium
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Closes: 1069677
Changes:
 rust-rustls (0.21.12-1) unstable; urgency=medium
 .
   [ upstream ]
   * new release(s)
     + don't specially handle unauthenticated close_notify alerts;
       fixes CVE-2024-32650;
       closes: bug#1069677, thanks to Moritz Mühlenhoff
 .
   [ Jonas Smedegaard ]
   * update watch file: modernize source URI
   * update copyright info: fix file path
   * bump project versions in virtual packages and autopkgtests
   * unfuzz patches
   * declare compliance with Debian Policy 4.7.0
Checksums-Sha1:
 6ec431022e39f3e0bbc617863938f00fe48d6033 3456 rust-rustls_0.21.12-1.dsc
 0964e64a681cc1eb94b4207f709e1aeef455440e 769817 rust-rustls_0.21.12.orig.tar.gz
 f869acd50b80f31e93a2f77dc5696346549c7f7d 26592 
rust-rustls_0.21.12-1.debian.tar.xz
 bd21c8661e64e6bd9158fe877ddfa057903e4b72 10861 
rust-rustls_0.21.12-1_amd64.buildinfo
Checksums-Sha256:
 5a072e2d8158d82d2f8885a92a9d72db790c725aec5042f46d5eda6873717c02 3456 
rust-rustls_0.21.12-1.dsc
 b22000803cb9ad439400a509eef786e9eb603b483eed30978e69bc4572be253b 769817 
rust-rustls_0.21.12.orig.tar.gz
 38c2f7a804db273b3aa01c289603fea5f126cc3a46c6a4be61144b22951c5439 26592 
rust-rustls_0.21.12-1.debian.tar.xz
 e78d9b99996b534aacbd7995657e5c3d1ebfad0a91faa4aaf5c8b3e69d2782b6 10861 
rust-rustls_0.21.12-1_amd64.buildinfo
Files:
 96cfaeaa4df9148473b025214a12291e 3456 rust optional rust-rustls_0.21.12-1.dsc
 6c6e69d506c4837a8531adf4ab21783e 769817 rust optional 
rust-rustls_0.21.12.orig.tar.gz
 a9af951a7aba2e5a29e4261f4d915796 26592 rust optional 
rust-rustls_0.21.12-1.debian.tar.xz
 7dd849c7f1f597709d69b0af4bfa01c9 10861 rust optional 
rust-rustls_0.21.12-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmZoUJgACgkQLHwxRsGg
ASHhahAAgbRDVmrHYfIWQs6qWyfC6DwiS2x9kaEu4M9qLolwZkJLhV0wuVc6ds54
HXCrnT9nDnd06dW/CnkemCQpOfquuNzttaIaiOd0YFw+nYKOVGTU1ASSMT/F3WH3
u0m7YKzzYz5EPFF56CjL9sBxd6Rv5baUgspRspUVtMQ7KltZyepfSOGg0jfIOZhH
u/YjKWA8z67dTBewNcrKdpCgsRj5Xhl0J90W6hlTt7NHtErz0BXZ0IgP3bDpEyP0
w+2UnfexiZ0oTE3cXYr6m8Ck8Knm8M/IUqy4jShVAcrfDgtMAcwdM2hqodZpeUtL
5O3tdkxfzj2BmZT83xEripUM6+ZYB7ii14oNoDb2fV1aqp6haSp37X5QULveeGlJ
XAglBoT/C5B2M5seqepllR2On8R8aZuV19Wpwu2OtqhAQkfxCi690lF3yjdSxPSA
herUiSr1tORdKmang+Q6DVXVH66CdW2U2Dykz76wANgp9vO3vFi0vsjyPR58RtAm
691FOglOAxlhOANPt43sqq0EU6fgI3SGFHwUq/zYcFwufqCa8FYeFzOf2BFrcZOy
f4xqe9vCxbkfC9plgnHXI2zMFRN4SdMK2wbuSKjMndj9sLVpd7gIS7yQHADUtYST
qee4vmgHS9xVbB18Hph571Qlz10/mwSXz2IP5/qt6o0IjOdHS/g=
=DzQH
-----END PGP SIGNATURE-----

pgpHm9uv3t2pO.pgp
Description: PGP signature

--- End Message ---