| Details |
|
| Package |
rustls-webpki |
| Version |
0.101.7 |
| URL |
n/a |
| Patched Versions |
>=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 |
| Aliases |
GHSA-82j2-j2ch-gfr8 |
A panic was reachable when parsing certificate revocation lists via [BorrowedCertRevocationList::from_der]
or [OwnedCertRevocationList::from_der]. This was the result of mishandling a syntactically valid empty
BIT STRING appearing in the onlySomeReasons element of a IssuingDistributionPoint CRL extension.
This panic is reachable prior to a CRL's signature being verified.
Applications that do not use CRLs are not affected.
Thank you to @tynus3 for the report.
rustls-webpki0.101.7A panic was reachable when parsing certificate revocation lists via [
BorrowedCertRevocationList::from_der]or [
OwnedCertRevocationList::from_der]. This was the result of mishandling a syntactically valid emptyBIT STRINGappearing in theonlySomeReasonselement of aIssuingDistributionPointCRL extension.This panic is reachable prior to a CRL's signature being verified.
Applications that do not use CRLs are not affected.
Thank you to @tynus3 for the report.