[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1357-1] gunicorn security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : gunicorn
Version        : 0.14.5-3+deb7u2
CVE ID         : CVE-2018-1000164
Debian Bug     : #896548

It was discovered that there was an issue in the gunicorn HTTP server for
Python applicatons where CRLF sequences could result in an attacker tricking
the server into returning arbitrary headers.

For more information and background, please see:

  https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5

For Debian 7 "Wheezy", this issue has been fixed in gunicorn version
0.14.5-3+deb7u2.

We recommend that you upgrade your gunicorn packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlrcTnUACgkQHpU+J9Qx
HliNqhAAgdvrVeQfAH5WAFvQXT6TKdUg8EUusX8lsScCx/rF3CDJrtaMYKmbQR5l
ajml7sShtmuZtS1PlnJYZMUlllaTYWe3/UEDwfNoZCTK5fIdyy3HfnKW1QKOKXQo
nAFDipXGtKiY6AZBYm1CAOAoa9F5JWo8o4vbOLiLtMsxj1kbNtF119ATcTeel6l4
ugmNoiQQjStyTXiRN7K7G/+8KHeQWR2YR4saX0D3/7nQxcQvWK1UhnrWnyQB1spV
5nLHFXb8ifONXU0DUoaI4kf0IKgekhLXDRLuL3nu9HlE/eo73jJndIen09F5ryKQ
gvH8k+NfMCLXGupuNHar4vITEZFVPN8NXmlENAJNfhXdT9Xv0pr8IJ1S9tM0VxCF
HqZMx37cz9OXwIPF69lU7nriJiDF3Zw4kwYdiUvmqJdYyKlbcQy0sBXlrlRoCMlv
RWoCgvnI5PhZl+yfv90biWG4duchQwaGLzsxfJuib0TN6+qPJwAarSvz9xjz+7B5
2MQ6+MmuTD7WCcIPu5+GekUXgHbv/NTxuush0SKXDTcNCI0N5LrVjNR/7/1gO9Pn
MaFKKqWaUbca3iIii/muvvCLshtiKsFI7imfKkwBSMEgna478wFGKTBFKLDjt+za
3K5iApQx5+5MFq60qB2n4SbLm/oXgc2Jl8KGlcBUZ5xMiVQSd6I=
=8UGZ
-----END PGP SIGNATURE-----


Reply to: