[Security] Bump hyper from 0.9.3 to 0.9.18

[dependabot-preview]

Bumps hyper from 0.9.3 to 0.9.18. This update includes security fixes.

Vulnerabilities fixed

Sourced from The RustSec Advisory Database.

headers containing newline characters can split messages
Serializing of headers to the socket did not filter the values for newline bytes (\r or \n),
which allowed for header values to split a request or response. People would not likely include
newlines in the headers in their own applications, so the way for most people to exploit this
is if an application constructs headers based on unsanitized user input.

This issue was fixed by replacing all newline characters with a space during serialization of
a header value.

Patched versions: >= 0.10.2; < 0.10.0, >= 0.9.18
Unaffected versions: none

Sourced from The RustSec Advisory Database.

headers containing newline characters can split messages
Serializing of headers to the socket did not filter the values for newline bytes (\r or \n),
which allowed for header values to split a request or response. People would not likely include
newlines in the headers in their own applications, so the way for most people to exploit this
is if an application constructs headers based on unsanitized user input.

This issue was fixed by replacing all newline characters with a space during serialization of
a header value.

Patched versions: >= 0.10.2; < 0.10.0, >= 0.9.18
Unaffected versions: none

Sourced from The RustSec Advisory Database.

HTTPS MitM vulnerability due to lack of hostname verification
When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not
perform hostname verification when making HTTPS requests.

This allows an attacker to perform MitM attacks by preventing any valid
CA-issued certificate, even if there's a hostname mismatch.

The problem was addressed by leveraging rust-openssl's built-in support for
hostname verification.

Patched versions: >= 0.9.4
Unaffected versions: none

Sourced from The RustSec Advisory Database.

headers containing newline characters can split messages
Serializing of headers to the socket did not filter the values for newline bytes (
or
),
which allowed for header values to split a request or response. People would not likely include
newlines in the headers in their own applications, so the way for most people to exploit this
is if an application constructs headers based on unsanitized user input.

This issue was fixed by replacing all newline characters with a space during serialization of
a header value.

Patched versions: >= 0.10.2; < 0.10.0, >= 0.9.18
Unaffected versions: none

Release notes

Sourced from hyper's releases.

v0.9.14

Bug Fixes

• client: close Pooled streams on sockopt error (d5ffee2e)

v0.9.13

Features

• error: re-export url::ParseError (30e78ac2)

v0.9.12

Features

• error: export url::ParseError in hyper's error module

v0.9.11

Bug Fixes

• headers: Allow IPv6 Addresses in Host header (20f177ab)

Features

• headers:
  • Add strict-origin and strict-origin-when-cross-origin referer policy (1be4e769)
  • support multiple values for Referrer-Policy header (dc476657, closes #882)
  • add last-event-id header (2277987f)
• server: accept combined certificate files (eeb1f48e)

v0.9.10

Features

• headers:
  • add origin header (64881ae0)
  • Add Referrer-Policy header (b76a02cc)

v0.9.9

Bug Fixes

• headers: Remove raw part when getting mutable reference to typed header (63b61524, closes #821)

Features

• error: Display for Error shows better info (5620fbf9, closes #694)

v0.9.8

Features

• client: enable use of custom TLS wrapper for proxied connections (0476196c, closes #824)

v0.9.7

Bug Fixes

• proxy: fix the 0.9.x build with --no-default-features --features=security-framework (6caffe9f, closes #819)
• server: Request.ssl() works (ce0b62ea)

v0.9.6

Bug Fixes

• client: Manually impl Debug for PooledStream (aa692236)
• server: Switch Ssl to SslServer in bounds (470bc8ec)

... (truncated)

Changelog

Sourced from hyper's changelog.

v0.9.18 (2017-01-30)

Bug Fixes

• header: enable SetCookie.fmt_header when only 1 cookie (e3f317ee)

v0.9.17 (2017-01-24)

Bug Fixes

• client: only set Host header when not present (98342399)
• header: security fix for header values that include newlines (39ef6355)

Breaking Changes

• This technically will cause code that a calls
  SetCookie.fmt_header to panic, as it is no longer to properly write
  that method. Most people should not be doing this at all, and all
  other ways of printing headers should work just fine.

  The breaking change must occur in a patch version because of the
  security nature of the fix.

(39ef6355)

v0.9.16 (2017-01-23)

v0.9.15 (2017-01-19)

Bug Fixes

• header: security fix for header values that include newlines (a5437373)

Breaking Changes

• This technically will cause code that a calls
  SetCookie.fmt_header to panic, as it is no longer to properly write
  that method. Most people should not be doing this at all, and all
  other ways of printing headers should work just fine.

  The breaking change must occur in a patch version because of the
  security nature of the fix.

... (truncated)

Commits

• 483b9e5 v0.9.18
• e3f317e fix(header): enable SetCookie.fmt_header when only 1 cookie
• 54f4f6c v0.9.17
• 3808fe8 v0.9.16
• 6ed66e2 refactor(SetCookie): remove println
• 564e532 refactor(header): only import langtag macro for tests
• ac97ab5 v0.9.15
• 4a26aea refactor(error): make Void a unit struct with private field instead of empty ...
• 39ef635 fix(header): security fix for header values that include newlines
• 21fb1ee Merge pull request #982 from nabijaczleweli/0.9.x
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[tas50]

@dependabot rebase

[dependabot-preview]

Looks like this PR is already up-to-date with master! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[dependabot-preview]

Superseded by #151.