Merge pull request #277 from lzutao/cve-openssl

tarcieri · web-flow · commit f2feb205c688 · 2020-05-04T16:38:10.000-07:00
warn about CVE-2020-1967
diff --git a/crates/openssl-src/RUSTSEC-0000-0000.toml b/crates/openssl-src/RUSTSEC-0000-0000.toml
@@ -0,0 +1,18 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "openssl-src"
+date = "2020-04-25"
+title = "Crash causing Denial of Service attack"
+url = "https://www.openssl.org/news/secadv/20200421.txt"
+categories = ["denial-of-service"]
+description = """
+Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 
+handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the 
+"signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature 
+algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of 
+Service attack."""
+aliases = ["CVE-2020-1967"]
+
+[versions]
+patched = [">= 111.9.0+1.1.1g"]
+unaffected = ["< 111.6.0+1.1.1d"]
