CVE-2024-32650

2024-04-1916:15:10

Debian Security Bug Tracker

security-tracker.debian.org

rustls

tls

vulnerability

infinite loop

fix

version 0.23.5

version 0.22.4

version 0.21.11

network input

blocking server

close_notify message

client_hello

rust

unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

Low

EPSS

Percentile

15.5%

JSON

Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a close_notify message immediately after client_hello, the server’s complete_io will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.

OSVersionArchitecturePackageVersionFilename
Debian12allrust-rustls<= 0.20.8-4rust-rustls_0.20.8-4_all.deb
Debian999allrust-rustls< 0.21.12-1rust-rustls_0.21.12-1_all.deb
Debian13allrust-rustls< 0.21.12-1rust-rustls_0.21.12-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	rust-rustls	<= 0.20.8-4	rust-rustls_0.20.8-4_all.deb
Debian	999	all	rust-rustls	< 0.21.12-1	rust-rustls_0.21.12-1_all.deb
Debian	13	all	rust-rustls	< 0.21.12-1	rust-rustls_0.21.12-1_all.deb