SUSE CVE-2019-6477

With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to...

SUSE CVE-2019-16786

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with t...

SUSE CVE-2020-11077

In Puma RubyGem before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the firs...

Fedora: Security Advisory for python-joblib (FEDORA-2022-c83ce1c000)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 37 Update: python-joblib-1.2.0-1.fc37

Joblib is a set of tools to provide lightweight pipelining in Python. In particular, joblib offers: transparent disk-caching of the output values and lazy re-evaluation memorize pattern easy simple parallel computing logging and tracing of the execution...

[SECURITY] Fedora 36 Update: python-joblib-1.2.0-1.fc36

Joblib is a set of tools to provide lightweight pipelining in Python. In particular, joblib offers: transparent disk-caching of the output values and lazy re-evaluation memorize pattern easy simple parallel computing logging and tracing of the execution...

CVE-2022-38667

HTTP applications servers based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it ha...

CVE-2022-38667

HTTP applications servers based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it ha...

CVE-2022-38667

HTTP applications servers based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it ha...

CVE-2022-38667

CVE-2022-38667 affects Crow HTTP applications up to and including 1.0+4. The issue is a Use-After-Free that can lead to code execution when HTTP pipelining is used. The root cause is that the HTTP parser supports pipelining, but the asynchronous Connection layer does not track the progression of ...

CVE-2022-38667

HTTP applications servers based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it ha...

PT-2022-4665 · Crow · Crow

Name of the Vulnerable Software and Affected Versions: Crow versions through 1.0+4 Description: The issue is related to HTTP applications based on Crow, where the use of HTTP pipelining can lead to a Use-After-Free condition, potentially allowing code execution. This occurs because the asynchrono...

GHSA-63H2-9CC8-FC7M meinheld vulnerable to HTTP Request Smuggling

meinheld prior to 1.0.2 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing...

GHSA-H6C8-RG87-F3PC Apache Tomcat HTTP BIO Connector Error Discloses Information From Different Requests to Remote Users

The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for...

Apache Tomcat HTTP BIO Connector Error Discloses Information From Different Requests to Remote Users

The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for...

Mageia: Security Advisory (MGASA-2020-0083)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

DDoS attacks in Q3 2021

News overview Q3 2021 brought two new DDoS attack vectors, potentially posing a serious threat, including for major web resources. A team of researchers from the University of Maryland and the University of Colorado Boulder found a way to spoof the victims IP address over TCP. To date,...

CVE-2021-41136

Summary: CVE-2021-41136 affects Puma HTTP/1.1 server for Ruby/Rack. When used with a proxy that forwards HTTP header values containing LF, an attacker could smuggle a request through the proxy, potentially causing the proxy to send a response to a different client. This behavior has been observed...

Mēris Botnet Hit Russia's Yandex With Massive 22 Million RPS DDoS Attack

Russian internet giant Yandex has been the target of a record-breaking distributed denial-of-service DDoS attack by a new botnet called Mēris. The botnet is believed to have pummeled the company's web infrastructure with millions of HTTP requests, before hitting a peak of 21.8 million requests pe...

Yandex Pummeled by Potent Meris DDoS Botnet

Technical details tied to a record-breaking distributed-denial-of-service DDoS attack against Russian internet behemoth Yandex are surfacing as the digital dust settles. A massive botnet, dubbed Mēris, is believed responsible, flooding Yandex with millions of HTTP requests for webpages at the sam...