#dos

Cyberattacks tripled over the past year in Israel, making it the most targeted nation in 2023, as cyber operations become a standard part of military conflicts and global protests.

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

### Impact A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in image decoders. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. This flaw can be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on ImageSharp for image processing tasks. Users and administrators are advised to update to the latest version of ImageSharp that addresses this vulnerability to mitigate the risk of exploitation. ### Patches The problem has been patched. All users are advised to upgrade to v3.1.4 or v2.1.8. ### Workarounds Before calling `Image.Decode(Async)`, use `Image.Identify` to determine the image dimensions in order to enforce a limit. ### References - ImageSharp: [Security Considerations](https://docs.sixlabors.com/articles/imagesharp/security.html) - ImageSharp...

### Summary Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. ### Details + PoC Running the following code will raise Maximum recursion limit exceeded exception: ```py import sqlparse sqlparse.parse('[' * 10000 + ']' * 10000) ``` We expect a traceback of RecursionError: ```py Traceback (most recent call last): File "trigger_sqlparse_nested_list.py", line 3, in <module> sqlparse.parse('[' * 10000 + ']' * 10000) File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/__init__.py", line 30, in parse return tuple(parsestream(sql, encoding)) File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/filter_stack.py", line 36, in run stmt = grouping.group(stmt) File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py", line 428, in group func(stmt) File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py", line 53, in group_brackets _group_mat...

Debian Linux Security Advisory 5659-1 - Bartek Nowotarski discovered that Apache Traffic Server, a reverse and forward proxy server, was susceptible to denial of service via HTTP2 continuation frames.

Debian Linux Security Advisory 5658-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

Debian Linux Security Advisory 5657-1 - Several vulnerabilities were discovered in the Xorg X server, which may result in privilege escalation if the X server is running privileged or denial of service.

Red Hat Security Advisory 2024-1812-03 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Issues addressed include denial of service and memory leak vulnerabilities.

Akamai joins a growing list of security vendors aiming to strengthen companies' DNS defenses.

There is a potential vulnerability in Traefik managing requests with `Content-length` and no `body` . Sending a `GET` request to any Traefik endpoint with the `Content-length` request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.2 - https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5 ## Workarounds For affected versions, this vulnerability can be mitigated by configuring the [readTimeout](https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts) option. ## For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).