GHSA-6G7W-8WPP-FRHJ Denial of Service Vulnerability in Rustls Library

Summary rustls::ConnectionCommon::completeio could fall into an infinite loop based on network input. Details Verified at 0.22 and 0.23 rustls, but 0.21 and 0.20 release lines are also affected. tokio-rustls and rustls-ffi do not call completeio and are not affected. rustls::Stream and...

CVE-2024-32650

CVE-2024-32650 affects rustls:complete_io in a blocking rustls server can enter an infinite loop if a client sends close_notify right after client_hello, leading to a denial of service. Fixes exist in rustls releases 0.23.5, 0.22.4, and 0.21.11. Remediation is to upgrade to one of these versions ...

CVE-2024-32650 Rustls vulnerable to an infinite loop in rustls::conn::ConnectionCommon::complete_io() with proper client input

Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::completeio could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a closenotify message immediately after clienthello, the server's completeio will get in an infinite...

RUSTSEC-2024-0336 `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

If a closenotify alert is received during a handshake, completeio does not terminate. Callers which do not call completeio are not affected. rustls-tokio and rustls-ffi do not call completeio and are not affected. rustls::Stream and rustls::StreamOwned types use completeio and are affected...