Description
Himmelblau uses the rustls crate for TLS communication. A vulnerability (CVE-2024-11738) was discovered in rustls versions 0.23.13 through 0.23.17 that could allow an attacker to cause a denial of service (DoS) by sending a fragmented TLS ClientHello message.
While Himmelblau may not directly utilize the affected rustls::server::Acceptor::accept() API, this advisory is issued out of an abundance of caution to ensure all users are running a version of Himmelblau with a non-vulnerable rustls dependency.
Impact
None.
Patches
Users are encouraged to update to Himmelblau version 0.7.7/0.6.16 or later. This version includes an updated rustls dependency that addresses the vulnerability.
Workarounds
If immediate updating is not possible, users can manually update the rustls dependency in their Cargo.toml to version 0.23.19 or later and rebuild Himmelblau.
References
Description
Himmelblau uses the
rustlscrate for TLS communication. A vulnerability (CVE-2024-11738) was discovered inrustlsversions 0.23.13 through 0.23.17 that could allow an attacker to cause a denial of service (DoS) by sending a fragmented TLS ClientHello message.While Himmelblau may not directly utilize the affected
rustls::server::Acceptor::accept()API, this advisory is issued out of an abundance of caution to ensure all users are running a version of Himmelblau with a non-vulnerablerustlsdependency.Impact
None.
Patches
Users are encouraged to update to Himmelblau version 0.7.7/0.6.16 or later. This version includes an updated
rustlsdependency that addresses the vulnerability.Workarounds
If immediate updating is not possible, users can manually update the
rustlsdependency in theirCargo.tomlto version 0.23.19 or later and rebuild Himmelblau.References