Hi, I got this email from the eventlet mailing list. Does asyncio have a similar issue?
Victor ---------- Forwarded message ---------- From: Sergey Shepelev <[email protected]> Date: 2016-02-28 21:25 GMT+01:00 Subject: [Eventletdev] important security fix test required To: eventletdev <[email protected]> Hello. TL;DR: if you use SSL and Eventlet in one program, please run this version, DoS attack fixed. If there are no regressions, it will be released shortly. Details: most likely you had a server with similar loop: while True: conn, _ = server_sock.accept() spawn(process, conn) Which is fine, but if server socket already was SSL wrapped, then by default accept() tries to perform SSL handshake before returning the connection. But handshake is a blocking operation so malicious client could just connect and not start handshake and thus block server before next accept(). -- Sergey Shepelev Skype: sergey.shepelev +79996126031 http://temoto.ru/ _______________________________________________ Click here to unsubscribe or manage your list subscription: https://lists.secondlife.com/cgi-bin/mailman/listinfo/eventletdev
