Your message dated Sun, 23 Apr 2023 16:50:46 +0000
with message-id <[email protected]>
and subject line Bug#1034723: fixed in rust-h2 0.3.13-2
has caused the Debian Bug report #1034723,
regarding rust-hyper: CVE-2023-26964
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1034723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034723
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-hyper
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for rust-hyper.
CVE-2023-26964[0]:
| An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking
| occurs when the H2 component processes HTTP2 RST_STREAM frames. As a
| result, the memory and CPU usage are high which can lead to a Denial
| of Service (DoS).
https://github.com/hyperium/hyper/issues/2877
https://github.com/hyperium/h2/commit/5bc8e72e5fcbd8ae2d3d9bc78a1c0ef0040bcc39
(v0.3.17)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-26964
https://www.cve.org/CVERecord?id=CVE-2023-26964
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: rust-h2
Source-Version: 0.3.13-2
Done: Peter Michael Green <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-h2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Michael Green <[email protected]> (supplier of updated rust-h2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Apr 2023 09:50:43 +0000
Source: rust-h2
Architecture: source
Version: 0.3.13-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Peter Michael Green <[email protected]>
Closes: 1034723
Changes:
rust-h2 (0.3.13-2) unstable; urgency=medium
.
* Team upload.
* Package h2 0.3.13 from crates.io using debcargo 2.5.0
* Add patch limit-pending-accept-reset-streams.patch cherry picked from
upstream to fix denial of service vulnerability. CVE-2023-26964
RUSTSEC-2023-0034 (Closes: #1034723)
* Add patch fix-regression.patch chrerry picked from upstream to fix a
regression introduced by the above patch.
Checksums-Sha1:
a7cdd5b5479b071648e26a505ad142f4f544d976 3125 rust-h2_0.3.13-2.dsc
d1b4ff4425b53950c7f3634825f64b6bdc4a684d 7172 rust-h2_0.3.13-2.debian.tar.xz
ddb14d299944ce9b776710fecf84f7cbee028552 10990
rust-h2_0.3.13-2_source.buildinfo
Checksums-Sha256:
c089a70bd179cc5329ed8972823e2573a465b64efa014347de5b42a86ba37c06 3125
rust-h2_0.3.13-2.dsc
4fd88475bf81004d51e86cc903fbad2a8296192f9183c614bf44233852fe9ad4 7172
rust-h2_0.3.13-2.debian.tar.xz
037db247a9c195a24a58d0ecbabff9c625b2e1785f137e59d740ba4f51ada725 10990
rust-h2_0.3.13-2_source.buildinfo
Files:
68430d8d521a47155256a0a39151e60a 3125 rust optional rust-h2_0.3.13-2.dsc
52d8cc755f4cee97c010f340fec8d2c7 7172 rust optional
rust-h2_0.3.13-2.debian.tar.xz
9255ea29836ea4a117855b8a5bc269f4 10990 rust optional
rust-h2_0.3.13-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmRFABwUHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XsPJA//Q1BMsVS1pj1e8jHakBP3ooeVODv+
kJWouRspv7jJTg6ABl0BueT8lGiH4zt1JX7i/a4ulesXvpeIPkcApEikaup23r74
Ee2/0LVI6G+Koxi4b9y0WTOkWsAmfpEwCrtnRz5Cy+zoclKW2PkeO8hORXGuohe6
XcykxoSoNFodi6TaGdkzLZpRCGIRGdRKvu7Qngjxiqzg2dhn/4rirbBWJf5JEEaq
gOPQ6i4BEl++VVELbNtnnBJn2oH+Jr7T8EXdupjwC1xQfq/KZfN7jaRhs3+EKDei
+xtiiXD1w2OOYcKWoJkNUdJJ4jfgwkALVvEm2fT+gV9c3xp7KomTCEkRq7vFGFox
MJm/2lW/v2sYY2nkrhMg7/BZxU95jjSnJutu3l3+fYvEp2oWqCC0h5TtaL7bjNlZ
WULHnWkxNQck8bRxaWjFSZRXRmXt/CwcFdzdCkqMqoNRB1u4qPUPf16KGWujRKr2
9oBqJSBlNesKBNXzlsjpLZ5C8cC4N564agHGxy1Dt5yqU+moXHoolQ7uDc/6uYsa
lReOlHF3Wa3R/nxIfgl6OTZz9abg7jhkWokDr7QvnSQugg0ERF9lxHpsJBjbC701
J62R+Lq9Qa4pVwzMQrPpq62h9vlH9JSP4ZuDIMexOnJZ4PieAnNeJR8yURIZvirh
t2jxLAvp6x2H4CY=
=H2db
-----END PGP SIGNATURE-----
--- End Message ---
