On Fri, 2020-01-31 at 21:18 +0100, Ola Lundqvist wrote: > Hi fellow LTS development team > > I'm not sure how to handle CVE-2020-8492. It is a client side vulnerability > and what it can cause it CPU load issue (on the client side as I > understand). I can not really see how it can be exploited in any normal > client. Sure if the attacker creates new python code it can, but then it > can do that anyway because an infinite loop is quite easy to do in any > python code. I don't know for sure, but I think the test case given in the upstream issue exercises part of the normal response handling. I think it shows what happens if a server sends a response with the header field: www-authenticate: Basic ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, foo realm Ben. > So I think it is probably a minor issue, but I would like to check with > others for an opinion,. > > For now I have marked as ignored, but if people have good arguments I will > change my mind. > > Best regards > > // Ola > -- Ben Hutchings I haven't lost my mind; it's backed up on tape somewhere.
Attachment:
signature.asc
Description: This is a digitally signed message part