rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add patched version to RUSTSEC-2023-0029 (#1817)

Browse Source
This commit is contained in:
Paolo Barbolini
2023-11-08 10:57:41 +01:00
committed by GitHub
parent 378e212597
commit 0f4e16f7cd
1 changed files with 1 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
crates/nats/RUSTSEC-2023-0029.md
View File

@@ -8,7 +8,7 @@ keywords = ["tls", "mitm"]
aliases = ["GHSA-wvc4-j7g5-4f79"]
[versions]
patched = []
patched = [">=0.24.1"]
unaffected = ["< 0.9.0"]
```
@@ -16,10 +16,6 @@ unaffected = ["< 0.9.0"]
The NATS official Rust clients are vulnerable to MitM when using TLS.
A fix for the `nats` crate hasn't been released yet. Since the `nats` crate
is going to be deprecated anyway, consider switching to `async-nats` `>= 0.29`
which already fixed this vulnerability.
The common name of the server's TLS certificate is validated against
the `host`name provided by the server's plaintext `INFO` message
during the initial connection setup phase. A MitM proxy can tamper with