Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1357-1 gunicorn

Debian Security Advisory

DLA-1357-1 gunicorn -- LTS security update

Date Reported:

22 Apr 2018

Affected Packages:

gunicorn

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-1000164.

More information:

It was discovered that there was an issue in the gunicorn HTTP server for Python applicatons where CRLF sequences could result in an attacker tricking the server into returning arbitrary headers.

For more information and background, please see:

https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5

For Debian 7 Wheezy, this issue has been fixed in gunicorn version 0.14.5-3+deb7u2.

We recommend that you upgrade your gunicorn packages.