Hi,
I got this email from the eventlet mailing list. Does asyncio have a
similar issue?
Victor
---------- Forwarded message ----------
From: Sergey Shepelev <
tem...@gmail.com>
Date: 2016-02-28 21:25 GMT+01:00
Subject: [Eventletdev] important security fix test required
To: eventletdev <
event...@lists.secondlife.com>
Hello.
TL;DR: if you use SSL and Eventlet in one program, please run this
version, DoS attack fixed. If there are no regressions, it will be
released shortly.
Details: most likely you had a server with similar loop:
while True:
conn, _ = server_sock.accept()
spawn(process, conn)
Which is fine, but if server socket already was SSL wrapped, then by
default accept() tries to perform SSL handshake before returning the
connection. But handshake is a blocking operation so malicious client
could just connect and not start handshake and thus block server
before next accept().
--
Sergey Shepelev
Skype: sergey.shepelev
+79996126031
http://temoto.ru/
_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/eventletdev