00366-CVE-2021-3733.patch by frenzymadness · Pull Request #22 · fedora-python/cpython
approved these changes
00366 # CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. Backported from Python 3 together with another backward-compatible improvement of the regex from fix for CVE-2020-8492. Co-authored-by: Yeting Li <liyt@ios.ac.cn>
00368 # CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Backported from Python 3. Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Gen Xu <xgbarry@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters