CVE-2023-36461: mastodon: Denial of Service through slow HTTP responses

[Jan Schaumann <jschauma () netmeister org>]

(I have no affiliation with the project, but posting
this here because it seems to me that increasingly
non-packaged / GitHub distributed projects tend not to
send out announcements here.)

https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc

(This advisory describes an issue found by Cure53 as
part of an audit performed at Mozilla's request)

When performing outgoing HTTP queries, Mastodon sets a
timeout on individual read operations, but a malicious
server can indefinitely extend the duration of the
response through slowloris-type attacks.

Impact
This vulnerability can be used to keep all Mastodon
workers busy for an extended duration of time, leading
to the server becoming unresponsive.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: 7.5/10

CVE-2023-36461

Affected versions: all
Patched versions:  4.1.3, 4.0.5, 3.5.9