Hyper Security Vulnerability; Please Update


#1

There was a vulnerability in hyper where hyper would not escape newlines from header values when writing to stream. Releases now exist as 0.9.16 and 0.10.2, please cargo update immediately.

For more details, the full report is here: http://seanmonstar.com/post/156314377323/hyper-security-vulnerability-message-splitting


#2

I think it would make sense to get a CVE number for that.

(there’s a typo in the code example. subbmited -> submitted)


#3

Thanks for the notice, @seanmonstar!


#4

It appears there was an issue in crates.io when I published 0.9.16, such that it failed to update the index. I’ve published 0.9.17 which is the exact same source code, so that people can update.