Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-29430: Limit the size of .well-known lookups. · matrix-org/sydent@0523511

Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers. A malicious homeserver could return a very large response, again leading to memory exhaustion and denial of service. This affects any server which accepts registration requests from untrusted clients. This issue has been patched by releases 89071a1, 0523511, f56eee3. As a workaround request sizes can be limited in an HTTP reverse-proxy. There are no known workarounds for the problem with overlarge responses.

CVE
#web#dos#git#acer#auth#ssl

@@ -15,8 +15,14 @@ # limitations under the License.
import logging from io import BytesIO
import twisted.internet.ssl from twisted.internet import defer, protocol from twisted.internet.protocol import connectionDone from twisted.web._newclient import ResponseDone from twisted.web.http import PotentialDataLoss from twisted.web.iweb import UNKNOWN_LENGTH
logger = logging.getLogger(__name__)
@@ -62,3 +68,98 @@ def makeTrustRoot(self): return twisted.internet._sslverify.OpenSSLCertificateAuthorities([caCert.original]) else: return twisted.internet.ssl.OpenSSLDefaultPaths()

class BodyExceededMaxSize(Exception): “""The maximum allowed size of the HTTP body was exceeded.""”

class _DiscardBodyWithMaxSizeProtocol(protocol.Protocol): “""A protocol which immediately errors upon receiving data.""”
def __init__(self, deferred): self.deferred = deferred
def _maybe_fail(self): “"” Report a max size exceed error and disconnect the first time this is called. “"” if not self.deferred.called: self.deferred.errback(BodyExceededMaxSize()) # Close the connection (forcefully) since all the data will get # discarded anyway. self.transport.abortConnection()
def dataReceived(self, data) -> None: self._maybe_fail()
def connectionLost(self, reason) -> None: self._maybe_fail()

class _ReadBodyWithMaxSizeProtocol(protocol.Protocol): “""A protocol which reads body to a stream, erroring if the body exceeds a maximum size.""”
def __init__(self, deferred, max_size): self.stream = BytesIO() self.deferred = deferred self.length = 0 self.max_size = max_size
def dataReceived(self, data) -> None: # If the deferred was called, bail early. if self.deferred.called: return
self.stream.write(data) self.length += len(data) # The first time the maximum size is exceeded, error and cancel the # connection. dataReceived might be called again if data was received # in the meantime. if self.max_size is not None and self.length >= self.max_size: self.deferred.errback(BodyExceededMaxSize()) # Close the connection (forcefully) since all the data will get # discarded anyway. self.transport.abortConnection()
def connectionLost(self, reason = connectionDone) -> None: # If the maximum size was already exceeded, there’s nothing to do. if self.deferred.called: return
if reason.check(ResponseDone): self.deferred.callback(self.stream.getvalue()) elif reason.check(PotentialDataLoss): # stolen from https://github.com/twisted/treq/pull/49/files # http://twistedmatrix.com/trac/ticket/4840 self.deferred.callback(self.stream.getvalue()) else: self.deferred.errback(reason)

def read_body_with_max_size(response, max_size): “"” Read a HTTP response body to a file-object. Optionally enforcing a maximum file size. If the maximum file size is reached, the returned Deferred will resolve to a Failure with a BodyExceededMaxSize exception. Args: response: The HTTP response to read from. max_size: The maximum file size to allow. Returns: A Deferred which resolves to the read body. “"” d = defer.Deferred()
# If the Content-Length header gives a size larger than the maximum allowed # size, do not bother downloading the body. if max_size is not None and response.length != UNKNOWN_LENGTH: if response.length > max_size: response.deliverBody(_DiscardBodyWithMaxSizeProtocol(d)) return d
response.deliverBody(_ReadBodyWithMaxSizeProtocol(d, max_size)) return d

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907