Merge pull request #221 from roy-work/roy/fix-http-affected-ranges

Correct affected version range on RUSTSEC-2019-003[34] to patched at 0.1.20
rustsec · Jan 9, 2020 · 4d05143 · 4d05143
2 parents 2899482 + 200651c
commit 4d05143
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/crates/http/RUSTSEC-2019-0033.toml b/crates/http/RUSTSEC-2019-0033.toml
@@ -13,12 +13,12 @@ the library will invoke `self.grow(0)` and start infinite probing.
 This allows an attacker who controls the argument to `reserve()`
 to cause a potential denial of service (DoS).
 
-The flaw was corrected in 0.2.0 release of `http` crate.
+The flaw was corrected in 0.1.20 release of `http` crate.
 """
-patched_versions = [">= 0.2.0"]
+patched_versions = [">= 0.1.20"]
 url = "https://github.com/hyperium/http/issues/352"
 categories = ["denial-of-service"]
 keywords = ["http", "integer-overflow", "DoS"]
 
 [affected.functions]
-"http::header::HeaderMap::reserve" = ["< 0.2.0"]
+"http::header::HeaderMap::reserve" = ["< 0.1.20"]
diff --git a/crates/http/RUSTSEC-2019-0034.toml b/crates/http/RUSTSEC-2019-0034.toml
@@ -10,11 +10,11 @@ which introduced unsoundness in its public safe API.
 [Failing to drop the Drain struct causes double-free](https://github.com/hyperium/http/issues/354),
 and [it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation](https://github.com/hyperium/http/issues/355).
 
-The flaw was corrected in 0.2.0 release of `http` crate.
+The flaw was corrected in 0.1.20 release of `http` crate.
 """
-patched_versions = [">= 0.2.0"]
+patched_versions = [">= 0.1.20"]
 categories = ["memory-corruption"]
 keywords = ["memory-safety", "double-free", "unsound"]
 
 [affected.functions]
-"http::header::HeaderMap::drain" = ["< 0.2.0"]
+"http::header::HeaderMap::drain" = ["< 0.1.20"]