It was discovered that python-kdcproxy did not reject overly large POST requests in the recommend default configuration, allocating arbitrary amounts of memory, eventually triggering the OOM killer, leading to a denial of service. Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security.
Mitigation: Add “LimitRequestBody 100000” to the <Location> stanza, like this: <Location "/KdcProxy"> Satisfy Any Order Deny,Allow Allow from all WSGIProcessGroup kdcproxy WSGIApplicationGroup kdcproxy LimitRequestBody 100000 </Location>
Created python-kdcproxy tracking bugs for this issue: Affects: fedora-all [bug 1245223]
Upstream bug report: https://github.com/npmccallum/kdcproxy/issues/20
Created python-kdcproxy tracking bugs for this issue: Affects: epel-7 [bug 1249762]
Upstream patches: https://github.com/npmccallum/kdcproxy/commit/f274aa6787cb8b3ec1cc12c440a56665b7231882 and https://github.com/npmccallum/kdcproxy/commit/5edbbeb7f950ed9db60b11f0fdce1ec96194f761