Hi Bernhard,
Thanks for looking into this.
On Thu, Apr 08, 2021 at 05:07:43PM +0200, Bernhard Übelacker wrote:
> I found following ticket [2] that shows in later entries
> similarities to the given backtrace.
Yes, this looks pretty much like what I'm seeing (assuming Glyph's
speculation it could be related to python2.7 is wrong, as this is on
python3; but I'm going with openssl as the central culprit).
> Further running the server with valgrind might show something
> related, if the crash happens there too.
Since this appears to be a known problem, there's reason to hope
it will go away when moving to bullseye, disabling https upgrading
made the crashes disappear, and I can live with http for this
particular service, I think at this point I'm willing to risk
something that feels rather exploitable for another few weeks.
These considerations would change if others were seriously concerned;
given the twisted ticket has indications on how to trigger the bug
outside of production, I might try to organise a windows client to
trigger it on a development system.
Thanks,
Markus
