Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RUSTSEC-2023-0052: webpki: CPU denial of service in certificate path building #2345

Closed
github-actions bot opened this issue Aug 23, 2023 · 1 comment
Closed
Labels
duplicate This issue or pull request already exists

Comments

@github-actions
Copy link

webpki: CPU denial of service in certificate path building

Details
Package webpki
Version 0.21.4
Date 2023-08-22

When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

This was previously reported in
<briansmith/webpki#69> and re-reported recently
by Luke Malinowski.

rustls-webpki is a fork of this crate which contains a fix for this issue
and is actively maintained.

See advisory page for additional details.

@Licenser
Copy link
Member

Licenser commented Oct 9, 2023

doublicate of #2346

@Licenser Licenser closed this as completed Oct 9, 2023
@Licenser Licenser added the duplicate This issue or pull request already exists label Oct 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

1 participant