Author gregory.p.smith
Recipients christian.heimes, gen-xu, gregory.p.smith, leveryd, lukasz.langa, miss-islington, ned.deily
Date 2021-05-06.19:27:01
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1620329222.0.0.414126113555.issue44022@roundup.psfhosted.org>
In-reply-to
Content
If anyone wants a CVE for it, that's up to them.  This bug is in the CPython http.client module which is what urllib uses for http/https.  I'd rate it low severity.  A malicious server can hold a http connection from this library open as a network traffic sink.  There are other ways to do that.  ex: Just use omit a content-length header in a server response and start streaming an infinite response.

The difference in this case being that since the data is thrown away, it isn't going to result in memory exhaustion and kill the unfortunate process as trying to read an infinite response would.  That's the primary DoS potential from my point of view.
History
Date User Action Args
2021-05-06 19:27:02gregory.p.smithsetrecipients: + gregory.p.smith, christian.heimes, ned.deily, lukasz.langa, miss-islington, leveryd, gen-xu
2021-05-06 19:27:02gregory.p.smithsetmessageid: <1620329222.0.0.414126113555.issue44022@roundup.psfhosted.org>
2021-05-06 19:27:01gregory.p.smithlinkissue44022 messages
2021-05-06 19:27:01gregory.p.smithcreate