Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- python (SimpleXMLRPCServer): DoS (excessive CPU usage) via malformed XML-RPC / HTTP POST request
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 14 Feb 2012 12:13:01 +0100


Hello vendors,

  just FYI, this issue affected also upstream
PyPy v1.6 and v1.8 versions. Relevant upstream bug
being here:
https://bugs.pypy.org/issue1047

Thanks to David Malcolm for pointing this out!

On 02/13/2012 04:57 PM, Kurt Seifried wrote:
On 02/13/2012 07:03 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

   we have been notified by Daniel Callaghan via:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=789790

about a denial of service flaw present in the way
Simple XML-RPC Server module of Python processed
client connections, that were closed prior the
complete request body has been received. A remote
attacker could use this flaw to cause Python Simple
XML-RPC based server process to consume excessive
amount of CPU.

Issue has been reported upstream at:
[2] http://bugs.python.org/issue14001

Could you allocate a CVE identifier for this?

Thank you&&  Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2012-0845 for this issue.

Thanks, Kurt.

Since the issue in PyPy is also coming from upstream Python
SimpleXMLRPCServer.py module implementation:

../pypy-1.6/lib-python/2.7/SimpleXMLRPCServer.py

assuming one CVE identifier is enough for both issues.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault