Add rustls acceptor panic (#2142)

ctz · web-flow · commit 37eb6a0218f9 · 2024-11-25T10:06:55.000+01:00
diff --git a/crates/rustls/RUSTSEC-0000-0000.md b/crates/rustls/RUSTSEC-0000-0000.md
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rustls"
+date = "2024-11-22"
+url = "https://github.com/rustls/rustls/issues/2227"
+categories = ["denial-of-service"]
+
+[versions]
+patched = [">= 0.23.18"]
+unaffected = [">= 0.23, < 0.23.13", "<= 0.22"]
+```
+
+# rustls network-reachable panic in `Acceptor::accept`
+
+A bug introduced in rustls 0.23.13 leads to a panic if the received
+TLS ClientHello is fragmented.  Only servers that use
+`rustls::server::Acceptor::accept()` are affected.
+
+Servers that use `tokio-rustls`'s `LazyConfigAcceptor` API are affected.
+
+Servers that use `tokio-rustls`'s `TlsAcceptor` API are not affected.
+
+Servers that use `rustls-ffi`'s `rustls_acceptor_accept` API are affected.
