GHSA-rp9h-rf7g-hwgr – s2n-tls

Package

Manager: cargo
Name: s2n-tls
Vulnerable Version: >=0 <0.3.7

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

s2n-tls has undefined behavior at process exit ### Impact s2n-tls uses the Linux atexit function to register functions that clean up the global state when the process exits. In multi-threaded environments, the atexit handler may clean up state which is still in use by other threads. When this occurs, the exiting process may experience a segmentation fault or other undefined behavior. Customers of AWS services do not need to take action. Applications using s2n-tls should upgrade to the most recent release of s2n-tls. **Impacted versions**: < v1.5.9. ### Patches The patch commit [493b771](https://github.com/aws/s2n-tls/commit/493b77167dc367c394de23cfe78a029298e2a254) is included in s2n-tls v1.5.9 [1] ### Workarounds The atexit handler may be disabled by calling `s2n_disable_atexit()` prior to initializing s2n-tls. The atexit handler is off by default in the patched versions. For further details, refer to [s2n-tls Usage Guide: Initialization and Teardown](https://github.com/aws/s2n-tls/blob/main/docs/usage-guide/topics/ch02-initialization.md). If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. [1] https://github.com/aws/s2n-tls/releases/tag/v1.5.9 [2] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Metadata

Created: 2024-11-14T15:45:55Z
Modified: 2024-11-14T15:45:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-rp9h-rf7g-hwgr/GHSA-rp9h-rf7g-hwgr.json
CWE IDs: []
Alternative ID: N/A
Finding: F111
Auto approve: 1