RUSTSEC-2023-0052: webpki: CPU denial of service in certificate path building #41
Comments
|
Thanks for heads up, unfortunately we're blocked by upstream but at least the vulnerability is not very serious. |
|
no worries. just putting it here so it's known. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm using tonic_lnd in a project of mine and was notified that there is a security issue in an upstream dependency of this project. I looked into it a bit myself but was having a difficult time understanding which version to use since it seems the
webpkiproject has been forked? I just wanted to bring this to your attention. Perhaps you can figure out the correct version to update to.webpki0.21.4>=0.22.1When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
This was previously reported in
<briansmith/webpki#69> and re-reported recently
by Luke Malinowski.
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: