CVE-2010-3492: smtpd accept bug

The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.

  • Disclosure date: 2009-08-14 (Python issue #6706 reported)

Fixed In

Python issue

asyncore’s accept() is broken.

  • Python issue: issue #6706
  • Creation date: 2009-08-14
  • Reporter: Giampaolo Rodola’

CVE-2010-3492

The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.

Timeline

Timeline using the disclosure date 2009-08-14 as reference:

  • 2009-08-14: Python issue #6706 reported by Giampaolo Rodola’
  • 2010-10-04 (+416 days): commit 977c707
  • 2010-10-19 (+431 days): CVE-2010-3492 published
  • 2011-02-20: Python 3.2.0 released
  • 2013-04-06 (+1331 days): Python 2.7.4 released