HIGH 7.5

RUSTSEC-2020-0015

Crash causing Denial of Service attack

상세

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

crates.io / openssl-src

최초 영향 버전: 111.6.0 수정 버전: 111.9.0

Upgrade openssl-src to 111.9.0 or newer (ecosystem crates.io).

참고

https://crates.io/crates/openssl-src [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2020-0015.html [ADVISORY]
https://www.openssl.org/news/secadv/20200421.txt [WEB]