#1217 closed task (fixed)
security issues in rencode
Reported by: | Antoine Martin | Owned by: | Smo |
---|---|---|---|
Priority: | critical | Milestone: | 1.0 |
Component: | core | Version: | trunk |
Keywords: | Cc: |
Description
Just reported two security issues in rencode:
For our use case, I believe this can just cause a server crash, I don't think we leak parsed data from packets back to the user - but maybe disconnection messages? (those would need to be trimmed)
Change History (6)
comment:1 Changed 5 years ago by
Status: | new → assigned |
---|
comment:3 Changed 5 years ago by
Owner: | changed from Antoine Martin to Smo |
---|---|
Status: | assigned → new |
This is all fixed in version 1.0.5, bumped for osx and rpm in r13028.
@smo: time to update.
Version 0, edited 5 years ago
by
(next)
comment:4 Changed 5 years ago by
comment:6 Changed 6 weeks ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1217
Note: See
TracTickets for help on using
tickets.
The first bug is now fixed and version 1.0.5 will include it, the second one was already fixed in rencode 1.0.4. (my bad)
Until 1.0.5 is officially released (new blocker: https://github.com/aresch/rencode/issues/9), here's a download link: https://github.com/aresch/rencode/archive/a5ab0fb6c3603d1e9c53e2cfc262b2288d2912d8.zip.