httplib unlimited read¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
Limit the HTTP header readline.
Dates:
Disclosure date: 2009-08-28 (Python issue bpo-6791 reported)
Red Hat impact: Moderate
Fixed In¶
Python 2.7.2 (2011-06-11) fixed by commit d7b6ac6 (branch 2.7) (2010-12-18)
Python 3.1.4 (2011-06-11) fixed by commit ff1bbba (branch 3.2) (2010-12-18)
Python 3.2.0 (2011-02-20) fixed by commit 5466bf1 (branch 3.3) (2010-12-18)
Python issue¶
httplib read status memory usage.
Python issue: bpo-6791
Creation date: 2009-08-28
Reporter: sumar
CVE-2013-1752¶
** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 “Independently Fixable” in the CVE Counting Decisions.
CVE ID: CVE-2013-1752
Published: 2019-06-03
CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2009-08-28 as reference:
2009-08-28: Python issue bpo-6791 reported by sumar
2010-12-18 (+477 days): commit 5466bf1 (branch 3.3)
2010-12-18 (+477 days): commit d7b6ac6 (branch 2.7)
2010-12-18 (+477 days): commit ff1bbba (branch 3.2)
2011-02-20: Python 3.2.0 released
2011-06-11 (+652 days): Python 2.7.2 released
2011-06-11 (+652 days): Python 3.1.4 released
2019-06-03 (+3566 days): CVE-2013-1752 published