HIGH 7.5

RUSTSEC-2020-0015

Crash causing Denial of Service attack

Details

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / openssl-src

Introduced in: 111.6.0 Fixed in: 111.9.0

Upgrade openssl-src to 111.9.0 or newer (ecosystem crates.io).

References

https://crates.io/crates/openssl-src [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2020-0015.html [ADVISORY]
https://www.openssl.org/news/secadv/20200421.txt [WEB]