| Main Archive Page > Month Archives > oss-security archives |
Re: [oss-security] CVE Request -- python (SimpleXMLRPCServer): DoS (excessive CPU usage) via malformed XML-RPC / HTTP POST request
From: Jan Lieskovsky <jlieskov_at_nospam>Date: Tue Feb 14 2012 - 11:13:01 GMT
Hello vendors,
just FYI, this issue affected also upstream
PyPy v1.6 and v1.8 versions. Relevant upstream bug
being here:
https://bugs.pypy.org/issue1047
Thanks to David Malcolm for pointing this out!
On 02/13/2012 04:57 PM, Kurt Seifried wrote:
> On 02/13/2012 07:03 AM, Jan Lieskovsky wrote:
>> Hello Kurt, Steve, vendors,
>>
>> we have been notified by Daniel Callaghan via:
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=789790
>>
>> about a denial of service flaw present in the way
>> Simple XML-RPC Server module of Python processed
>> client connections, that were closed prior the
>> complete request body has been received. A remote
>> attacker could use this flaw to cause Python Simple
>> XML-RPC based server process to consume excessive
>> amount of CPU.
>>
>> Issue has been reported upstream at:
>> [2] http://bugs.python.org/issue14001
>>
>> Could you allocate a CVE identifier for this?
>>
>> Thank you&& Regards, Jan.
>> --
>> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> Please use CVE-2012-0845 for this issue.
Thanks, Kurt.
Since the issue in PyPy is also coming from upstream Python
SimpleXMLRPCServer.py module implementation:
../pypy-1.6/lib-python/2.7/SimpleXMLRPCServer.py
assuming one CVE identifier is enough for both issues.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team