[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Triage advice for CVE-2020-8492

On Fri, 2020-01-31 at 21:18 +0100, Ola Lundqvist wrote:
> Hi fellow LTS development team
> I'm not sure how to handle CVE-2020-8492. It is a client side vulnerability
> and what it can cause it CPU load issue (on the client side as I
> understand). I can not really see how it can be exploited in any normal
> client. Sure if the attacker creates new python code it can, but then it
> can do that anyway because an infinite loop is quite easy to do in any
> python code.

I don't know for sure, but I think the test case given in the upstream
issue exercises part of the normal response handling.  I think it shows
what happens if a server sends a response with the header field:

www-authenticate: Basic ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, foo realm


> So I think it is probably a minor issue, but I would like to check with
> others for an opinion,.
> For now I have marked as ignored, but if people have good arguments I will
> change my mind.
> Best regards
> // Ola
Ben Hutchings
I haven't lost my mind; it's backed up on tape somewhere.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: