GHSA-9qwg-crg9-m2vc

Опубликовано: 24 мар. 2023

Источник: github

Github: Прошло ревью

Описание

openssl SubjectAlternativeName and ExtendedKeyUsage::other allow arbitrary file read

SubjectAlternativeName and ExtendedKeyUsage arguments were parsed using the OpenSSL function X509V3_EXT_nconf. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.

Thanks to David Benjamin (Google) for reporting this issue.

Ссылки

https://github.com/sfackler/rust-openssl/pull/1854
https://rustsec.org/advisories/RUSTSEC-2023-0023.html

Пакеты

Наименование

openssl

rust

Затронутые версииВерсия исправления

>= 0.9.7, < 0.10.48

0.10.48