forked from akka/akka-http
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
=htc fix memory leak when connection is closed before request entity …
…is consumed Previously stages on top of RequestParsing would stay alive because connection completion would be stuck in the request parsing queue and connection cancellation did not propagate across the controller stage. The fix ensures that the controller will shutdown completely once cancellation was received from the network (connection abortion by the client or idle-timeout triggered). This makes sure that all connected stages will also receive cancellation and will shutdown themselves.
- Loading branch information
Showing
5 changed files
with
114 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
docs/src/main/paradox/security/2016-09-30-windows-directory-traversal.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
<a id="directory-traversal-in-filedirectives"></a> | ||
# Directory Traversal in FileDirectives | ||
|
||
## Date | ||
|
43 changes: 43 additions & 0 deletions
43
...urity/2017-01-23-denial-of-service-via-leak-on-unconsumed-closed-connections.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
<a id="denial-of-service-stream-unconsumed-closed-connections"></a> | ||
# Denial-of-Service by stream leak on unconsumed closed connections | ||
|
||
## Date | ||
|
||
23 January 2017 | ||
|
||
## Description of Vulnerability | ||
|
||
For requests containing request bodies (including request methods which would normally include entities like GET requests), | ||
a mistake in completion handling of a connection could lead to memory leaking after the connection had been closed before the | ||
entity was consumed. This may eventually lead to a failure of the system due to being out of memory. | ||
|
||
Please subscribe to the [akka-security](https://groups.google.com/forum/#!forum/akka-security) mailing list to be notified promptly about future security issues. | ||
|
||
## Severity | ||
|
||
The [CVSS](https://en.wikipedia.org/wiki/CVSS) score of this vulnerability is 6.4 (Medium), based on vector [AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C](https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C%29). | ||
|
||
## Affected Versions | ||
|
||
- (experimental) Akka HTTP `2.4.11` and prior, | ||
- (stable) Akka HTTP `10.0.1` and prior. | ||
|
||
## Fixed Versions | ||
|
||
We have prepared patches for the affected versions, and have released the following versions which resolve the issue: | ||
|
||
- Akka HTTP `2.4.11.1` (Scala 2.11) | ||
- Akka HTTP `10.0.2` (Scala 2.11, 2.12) | ||
|
||
The patched releases contain no other changes except the single patch that addresses the memory leak vulnerability. | ||
*Binary and source compatibility has been maintained so the upgrade procedure is as simple as changing the library dependency.* | ||
|
||
## Additional Important Information | ||
|
||
Note that Play and Lagom applications are not impacted by this vulnerability, regardless of whether they are using the Akka HTTP backend or the Netty backend. | ||
|
||
If you have any questions or need any help, please contact [support@lightbend.com](mailto:support@lightbend.com). | ||
|
||
## Acknowledgements | ||
|
||
We would like to thank Dmitry Kolesnikov & Lari Hotari for their thorough investigation and bringing this issue to our attention. |