RUSTSEC-2017-0003

Hostname verification skipped when custom root certs used

Issued
Package
security-framework (crates.io)
Type
Vulnerability
Aliases
Details
https://github.com/sfackler/rust-security-framework/pull/27
Patched
  • >=0.1.12
Keywords
  • mitm

Description

If custom root certificates were registered with a ClientBuilder, the hostname of the target server would not be validated against its presented leaf certificate.

This issue was fixed by properly configuring the trust evaluation logic to perform that check.

More