rust-hyper - Debian Package Tracker

general

source: rust-hyper (main)
version: 0.12.35-1
maintainer: Debian Rust Maintainers (archive) (DMD)
uploaders: kpcyrd [DMD] [DM]
arch: any
std-ver: 4.2.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

unstable: 0.12.35-1

versioned links

0.12.35-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

librust-hyper+default-dev
librust-hyper+futures-cpupool-dev
librust-hyper+net2-dev
librust-hyper+runtime-dev
librust-hyper+tokio-dev
librust-hyper+tokio-executor-dev
librust-hyper+tokio-reactor-dev
librust-hyper+tokio-tcp-dev
librust-hyper+tokio-threadpool-dev
librust-hyper+tokio-timer-dev
librust-hyper-dev

action needed

A new upstream version is available: 0.14.13 high

A new upstream version 0.14.13 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2021-09-19 06:56

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2021-21299: hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks". To determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. This is fixed in versions 0.14.3 and 0.13.10. As a workaround one can take the following options: 1) Reject requests that contain a `transfer-encoding` header, 2) Ensure any upstream proxy handles `transfer-encoding` correctly.
CVE-2021-32714: hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a `Transfer-Encoding` header or ensure any upstream proxy rejects `Transfer-Encoding` chunk sizes greater than what fits in 64-bit unsigned integers.
CVE-2021-32715: hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix.

Created: 2021-02-19 Last update: 2021-08-30 10:25

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2021-21299: hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks". To determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. This is fixed in versions 0.14.3 and 0.13.10. As a workaround one can take the following options: 1) Reject requests that contain a `transfer-encoding` header, 2) Ensure any upstream proxy handles `transfer-encoding` correctly.

Created: 2021-02-19 Last update: 2021-05-18 22:30

lintian reports 10 errors and 2 warnings high

Lintian reports 10 errors and 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2021-01-27 03:05

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2021-06-20 Last update: 2021-09-19 08:36

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2020-01-14 Last update: 2020-01-14 21:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.2.0).

Created: 2019-08-28 Last update: 2021-08-18 14:03

testing migrations

excuses:
- Migrates after: rust-h2, rust-http, rust-http-body
- Migration status for rust-hyper (- to 0.12.35-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Updating rust-hyper introduces new bugs: #988729
- Build-Depends(-Arch): rust-hyper rust-h2
- Build-Depends(-Arch): rust-hyper rust-http
- Build-Depends(-Arch): rust-hyper rust-http-body
- Depends: rust-hyper rust-h2
- Depends: rust-hyper rust-http
- Depends: rust-hyper rust-http-body
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/r/rust-hyper.html
- 717 days old (needed 5 days)
- Not considered

news

[rss feed]

[2021-06-21] rust-hyper REMOVED from testing (Debian testing watch)
[2020-10-10] rust-hyper 0.12.35-1 MIGRATED to testing (Debian testing watch)
[2020-03-14] rust-hyper REMOVED from testing (Debian testing watch)
[2019-10-19] rust-hyper 0.12.35-1 MIGRATED to testing (Debian testing watch)
[2019-10-03] Accepted rust-hyper 0.12.35-1 (source) into unstable (Andrej Shadura) (signed by: Andrew Shadura)
[2019-08-27] Accepted rust-hyper 0.12.33-1 (amd64 source) into unstable, unstable (Andrej Shadura)

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (10, 2)
buildd: logs, checks, clang, cross
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.12.35-1