Bug 2328732 (CVE-2024-11738, GHSA-qg5g-gv98-5ffh)

Summary:	CVE-2024-11738 rustls: rustls network-reachable panic in `Acceptor::accept`
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	bkabrda, lball, ngough, veshanka
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service (panic) via a fragmented TLS ClientHello message.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2328856, 2328857, 2330162, 2330163, 2330164
Bug Blocks:

Description OSIDB Bzimport 2024-11-25 18:01:47 UTC

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented.  Only servers that use `rustls::server::Acceptor::accept()` are affected.

Servers that use `tokio-rustls`'s `LazyConfigAcceptor` API are affected.

Servers that use `tokio-rustls`'s `TlsAcceptor` API are not affected.

Servers that use `rustls-ffi`'s `rustls_acceptor_accept` API are affected.