Opened 3 years ago

Last modified 3 years ago

#11080 new task

Evaluate effect of CVE-2012-0845 on this plugin

Reported by: hasienda Owned by: mitsuhiko
Priority: normal Component: IrcAnnouncerPlugin
Severity: normal Keywords: xmlrpc
Cc: osimons, rjollos Trac Release: 0.11

Description (last modified by hasienda)

(Overview of CVE-2012-0845): in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.

The full import and direct use of SimpleXMLRPCServer in ircannouncerplugin/Trac/ might not be relevant, because it looks like an abonded development tree.?

Only CGIXMLRPCRequestHandler is imported from SimpleXMLRPCServer and used in 0.11/tracext/ircannouncer/utils, so I'm really unsure, if this plugin could be affected somehow.


Attachments (0)

Change History (1)

comment:1 Changed 3 years ago by hasienda

  • Description modified (diff)

Add Comment

Modify Ticket

as new The owner will remain mitsuhiko.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.