httplib unlimited read¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
Limit the HTTP header readline.
Dates:
- Disclosure date: 2009-08-28 (Python issue bpo-6791 reported)
- Red Hat impact: Moderate
Fixed In¶
- Python 2.7.2 (2011-06-11) fixed by commit d7b6ac6 (branch 2.7) (2010-12-18)
- Python 3.1.4 (2011-06-11) fixed by commit ff1bbba (branch 3.2) (2010-12-18)
- Python 3.2.0 (2011-02-20) fixed by commit 5466bf1 (branch 3.3) (2010-12-18)
Python issue¶
httplib read status memory usage.
- Python issue: bpo-6791
- Creation date: 2009-08-28
- Reporter: sumar
CVE-2013-1752¶
** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 “Independently Fixable” in the CVE Counting Decisions.
- CVE ID: CVE-2013-1752
- Published: 2019-06-03
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2009-08-28 as reference:
- 2009-08-28: Python issue bpo-6791 reported by sumar
- 2010-12-18 (+477 days): commit 5466bf1 (branch 3.3)
- 2010-12-18 (+477 days): commit d7b6ac6 (branch 2.7)
- 2010-12-18 (+477 days): commit ff1bbba (branch 3.2)
- 2011-02-20: Python 3.2.0 released
- 2011-06-11 (+652 days): Python 2.7.2 released
- 2011-06-11 (+652 days): Python 3.1.4 released
- 2019-06-03 (+3566 days): CVE-2013-1752 published