CVE-2024-32650

Publication date 19 April 2024

Last updated 24 July 2024

Ubuntu priority

Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rust-rustls	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	23.10 mantic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
rust-rustls-0.20	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	23.10 mantic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
rust-rustls	Upstream: 2123576 Upstream: 6e938bc Upstream: f45664f

CVE-2024-32650

Status

Patch details

References

Other references