Subject: Re: [boost] [beast] Security
From: Vinnie Falco (vinnie.falco_at_[hidden])
Date: 2017-12-13 03:26:02

• Next message: Marshall Clow: "Re: [boost] [beast] Security"
• Previous message: Mark Incley: "Re: [boost] linker error in 1.66 rc1 (regression from 1.65.1)"
• In reply to: Phil Endecott: "[boost] [beast] Security"
• Next in thread: Marshall Clow: "Re: [boost] [beast] Security"
• Reply: Marshall Clow: "Re: [boost] [beast] Security"

On Mon, Jul 3, 2017 at 9:42 AM, Phil Endecott via Boost
<boost_at_[hidden]> wrote:
> To what extent do we think that Beast should be "secure"? I am
> thinking mostly about handling malicious input.
>
> Has it been reviewed by anyone with specific experience of how
> HTTP can be attacked? Has it been "fuzzed"?

We now have the answer to this question:

<https://vinniefalco.github.io/BeastAssets/Beast%20-%20Hybrid%20Application%20Assessment%202017%20-%20Assessment%20Report%20-%2020171114.pdf>

Linked from

<http://www.boost.org/doc/libs/master/libs/beast/doc/html/beast/reports.html#beast.reports.security_review_bishop_fox>

Bishop Fox did find one serious vulnerability in the processing of
compressed websocket frames. This flaw was fixed in time for Boost
1.66.0.

Thanks

• Next message: Marshall Clow: "Re: [boost] [beast] Security"
• Previous message: Mark Incley: "Re: [boost] linker error in 1.66 rc1 (regression from 1.65.1)"
• In reply to: Phil Endecott: "[boost] [beast] Security"
• Next in thread: Marshall Clow: "Re: [boost] [beast] Security"
• Reply: Marshall Clow: "Re: [boost] [beast] Security"