-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #23 from python-hyper/issue/22
- Loading branch information
Showing
8 changed files
with
157 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,6 +23,7 @@ Contents: | |
installation | ||
using-priority | ||
api | ||
security/index | ||
license | ||
authors | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
:orphan: | ||
|
||
DoS via Unlimited Stream Insertion | ||
================================== | ||
|
||
Hyper Project security advisory, August 4th 2016. | ||
|
||
Vulnerability | ||
------------- | ||
|
||
A HTTP/2 implementation built using the priority library could be targetted by | ||
a malicious peer by having that peer assign priority information for every | ||
possible HTTP/2 stream ID. The priority tree would happily continue to store | ||
the priority information for each stream, and would therefore allocate | ||
unbounded amounts of memory. Attempting to actually *use* a tree like this | ||
would also cause extremely high CPU usage to maintain the tree. | ||
|
||
We are not aware of any active exploits of this vulnerability, but as this | ||
class of attack was publicly described in `this report`_, users should assume | ||
that they are at imminent risk of this kind of attack. | ||
|
||
Info | ||
---- | ||
|
||
This issue has been given the name CVE-2016-6580. | ||
|
||
Affected Versions | ||
----------------- | ||
|
||
This issue affects all versions of the priority library prior to 1.2.0. | ||
|
||
The Solution | ||
------------ | ||
|
||
In version 1.2.0, the priority library limits the maximum number of streams | ||
that can be inserted into the tree. By default this limit is 1000, but it is | ||
user-configurable. | ||
|
||
If it is necessary to backport a patch, the patch can be found in | ||
`this GitHub pull request`_. | ||
|
||
Recommendations | ||
--------------- | ||
|
||
We suggest you take the following actions immediately, in order of preference: | ||
|
||
1. Update priority to 1.2.0 immediately, and consider revising the maximum | ||
number of streams downward to a suitable value for your application. | ||
2. Backport the patch made available on GitHub. | ||
3. Manually enforce a limit on the number of priority settings you'll allow at | ||
once. | ||
|
||
Timeline | ||
-------- | ||
|
||
This class of vulnerability was publicly reported in `this report`_ on the | ||
3rd of August. We requested a CVE ID from Mitre the same day. | ||
|
||
Priority 1.2.0 was released on the 4th of August, at the same time as the | ||
publication of this advisory. | ||
|
||
|
||
.. _this report: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf | ||
.. _this GitHub pull request: https://github.com/python-hyper/priority/pull/23 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
Vulnerability Notifications | ||
=========================== | ||
|
||
This section of the page contains all known vulnerabilities in the priority | ||
library. These vulnerabilities have all been reported to us via our | ||
`vulnerability disclosure policy`_. | ||
|
||
Known Vulnerabilities | ||
--------------------- | ||
|
||
+----+---------------------------+----------------+---------------+--------------+---------------+ | ||
| \# | Vulnerability | Date Announced | First Version | Last Version | CVE | | ||
+====+===========================+================+===============+==============+===============+ | ||
| 1 | :doc:`DoS via unlimited | 2016-08-04 | 1.0.0 | 1.1.1 | CVE-2016-6580 | | ||
| | stream insertion. | | | | | | ||
| | <CVE-2016-6580>` | | | | | | ||
+----+---------------------------+----------------+---------------+--------------+---------------+ | ||
|
||
.. _vulnerability disclosure policy: http://python-hyper.org/en/latest/security.html#vulnerability-disclosure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters