oss-sec mailing list archives
Re: CVE Request -- python (SimpleXMLRPCServer): DoS (excessive CPU usage) via malformed XML-RPC / HTTP POST request
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 14 Feb 2012 12:13:01 +0100
Hello vendors, just FYI, this issue affected also upstream PyPy v1.6 and v1.8 versions. Relevant upstream bug being here: https://bugs.pypy.org/issue1047 Thanks to David Malcolm for pointing this out! On 02/13/2012 04:57 PM, Kurt Seifried wrote:
On 02/13/2012 07:03 AM, Jan Lieskovsky wrote:Hello Kurt, Steve, vendors, we have been notified by Daniel Callaghan via: [1] https://bugzilla.redhat.com/show_bug.cgi?id=789790 about a denial of service flaw present in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU. Issue has been reported upstream at: [2] http://bugs.python.org/issue14001 Could you allocate a CVE identifier for this? Thank you&& Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response TeamPlease use CVE-2012-0845 for this issue.
Thanks, Kurt. Since the issue in PyPy is also coming from upstream Python SimpleXMLRPCServer.py module implementation: ../pypy-1.6/lib-python/2.7/SimpleXMLRPCServer.py assuming one CVE identifier is enough for both issues. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- python (SimpleXMLRPCServer): DoS (excessive CPU usage) via malformed XML-RPC / HTTP POST request Jan Lieskovsky (Feb 13)
- Re: CVE Request -- python (SimpleXMLRPCServer): DoS (excessive CPU usage) via malformed XML-RPC / HTTP POST request Kurt Seifried (Feb 13)
- Re: CVE Request -- python (SimpleXMLRPCServer): DoS (excessive CPU usage) via malformed XML-RPC / HTTP POST request Jan Lieskovsky (Feb 14)
- Re: CVE Request -- python (SimpleXMLRPCServer): DoS (excessive CPU usage) via malformed XML-RPC / HTTP POST request Kurt Seifried (Feb 13)