Documentation for CVE-2016-6580

Lukasa · Lukasa · commit f09599a129e2 · 2016-08-04T08:41:57.000+01:00
diff --git a/docs/source/index.rst b/docs/source/index.rst
@@ -23,6 +23,7 @@ Contents:
    installation
    using-priority
    api
+   security/index
    license
    authors
 
diff --git a/docs/source/security/CVE-2016-6580.rst b/docs/source/security/CVE-2016-6580.rst
@@ -0,0 +1,64 @@
+:orphan:
+
+DoS via Unlimited Stream Insertion
+==================================
+
+Hyper Project security advisory, August 4th 2016.
+
+Vulnerability
+-------------
+
+A HTTP/2 implementation built using the priority library could be targetted by
+a malicious peer by having that peer assign priority information for every
+possible HTTP/2 stream ID. The priority tree would happily continue to store
+the priority information for each stream, and would therefore allocate
+unbounded amounts of memory. Attempting to actually *use* a tree like this
+would also cause extremely high CPU usage to maintain the tree.
+
+We are not aware of any active exploits of this vulnerability, but as this
+class of attack was publicly described in `this report`_, users should assume
+that they are at imminent risk of this kind of attack.
+
+Info
+----
+
+This issue has been given the name CVE-2016-6580.
+
+Affected Versions
+-----------------
+
+This issue affects all versions of the priority library prior to 1.2.0.
+
+The Solution
+------------
+
+In version 1.2.0, the priority library limits the maximum number of streams
+that can be inserted into the tree. By default this limit is 1000, but it is
+user-configurable.
+
+If it is necessary to backport a patch, the patch can be found in
+`this GitHub pull request`_.
+
+Recommendations
+---------------
+
+We suggest you take the following actions immediately, in order of preference:
+
+1. Update priority to 1.2.0 immediately, and consider revising the maximum
+   number of streams downward to a suitable value for your application.
+2. Backport the patch made available on GitHub.
+3. Manually enforce a limit on the number of priority settings you'll allow at
+   once.
+
+Timeline
+--------
+
+This class of vulnerability was publicly reported in `this report`_ on the
+3rd of August. We requested a CVE ID from Mitre the same day.
+
+Priority 1.2.0 was released on the 4th of August, at the same time as the
+publication of this advisory.
+
+
+.. _this report: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
+.. _this GitHub pull request: https://github.com/python-hyper/priority/pull/23
diff --git a/docs/source/security/index.rst b/docs/source/security/index.rst
@@ -0,0 +1,19 @@
+Vulnerability Notifications
+===========================
+
+This section of the page contains all known vulnerabilities in the priority
+library. These vulnerabilities have all been reported to us via our
+`vulnerability disclosure policy`_.
+
+Known Vulnerabilities
+---------------------
+
++----+---------------------------+----------------+---------------+--------------+---------------+
+| \# |       Vulnerability       | Date Announced | First Version | Last Version |      CVE      |
++====+===========================+================+===============+==============+===============+
+| 1  | :doc:`DoS via unlimited   | 2016-08-04     | 1.0.0         | 1.1.1        | CVE-2016-6580 |
+|    | stream insertion.         |                |               |              |               |
+|    | <CVE-2016-6580>`          |                |               |              |               |
++----+---------------------------+----------------+---------------+--------------+---------------+
+
+.. _vulnerability disclosure policy: http://python-hyper.org/en/latest/security.html#vulnerability-disclosure
