Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...

GHSA-J93G-RP6M-J32M Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...

Mageia: Security Advisory (MGASA-2021-0122)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

openSUSE 15 Security Update : python-httplib2 (openSUSE-SU-2021:1806-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1806-1 advisory. - In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request could change request headers a...

Updated python-httplib2 packages fix a security vulnerability

A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said server CVE-2021-21240...

[ASA-202102-35] python-httplib2: denial of service

Arch Linux Security Advisory ASA-202102-35 ========================================== Severity: Medium Date : 2021-02-27 CVE-ID : CVE-2021-21240 Package : python-httplib2 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1546 Summary ======= The package python-httpli...

CVE-2021-21240

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said...

PYSEC-2021-16

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said...

CVE-2021-21240

CVE-2021-21240 affects httplib2 prior to 0.19.0. A malicious server can send a WWW-Authenticate header containing a long sequence of non-breaking spaces (\xa0), causing a Denial of Service by CPU-intensive header parsing. The root cause is in how httplib2 parses auth headers; a fix was implemente...

CVE-2021-21240

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said...

CVE-2021-21240

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said...

GHSA-93XJ-8MRV-444M Regular Expression Denial of Service (REDoS) in httplib2

Impact A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said server. Patches Version 0.19.0 contains new implementation of auth headers parsing, using...