[SECURITY] [DLA 2056-1] waitress security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2056-1] waitress security update
From: "Chris Lamb" <lamby@debian.org>
Date: Wed, 01 Jan 2020 13:52:57 +0000
Message-id: <[🔎] db82b844-c732-4b1d-8ac6-ee3e2d674084@sloti26t01>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : waitress
Version        : 0.8.9-2+deb8u1
Debian Bug     : #765126

It was discovered that there was a HTTP request smuggling
vulnerability in waitress, pure-Python WSGI server.

If a proxy server is used in front of waitress, an invalid request
may be sent by an attacker that bypasses the front-end and is parsed
differently by waitress leading to a potential for request smuggling.

Specially crafted requests containing special whitespace characters
in the Transfer-Encoding header would get parsed by Waitress as being
a chunked request, but a front-end server would use the
Content-Length instead as the Transfer-Encoding header is considered
invalid due to containing invalid characters. If a front-end server
does HTTP pipelining to a backend Waitress server this could lead to
HTTP request splitting which may lead to potential cache poisoning or
information disclosure.

For Debian 8 "Jessie", this issue has been fixed in waitress version
0.8.9-2+deb8u1.

We recommend that you upgrade your waitress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4MpCkACgkQHpU+J9Qx
HlgiDBAAqTn8jF9NkZKCSMyMZsW+Wb4DazHGkEmzl1Uf/u9padPzIo5WKYkuFT3F
AaLaGou8k9DdMZ3i7e9KSZw31vBcyj7oSVaFKBU/SUklC/V5BB8BMhecd+9fPZw8
sk+j7Nm+0iK+ah///RWpm4oG+CfXPXHqeit74pJt02a1mc0DU2cJcMerKkKmeQc7
aD8PlWeTLDO361sJLR9v/5djyEm9Eo6pP7fc7ueMAoPQjS3xxxwUzLBhOEZnWGek
1LS9cwRG4mzfNN8e8GW7cXKqD373iEKBr9o97M6sxwkC4YXrIAzPMcQHo4oJh+Yp
x3rOyxibwJlRpp+gftIjKNGg7SZ3/MFrjtyikLkKz/Q9abLPBrRhLlYSthWVt26b
nbd2s9XVMwqcnKBQj90LZGGB2oudKvL0xdkd8q24NLd/7iPSVVF7Oc4x3iHtjiYv
udTrhcLg+PYpqYKVa0bxXcO65q0PFZkAR7yQHuwPATPSu9HdhRezDjip9GPBrcMr
uOqKpVHGznTTpwDuRDgKd8QaTSnkf1Mn1b/qhOFRqfnnrsLXebZPgqLoMSNzbRRU
aDQ+CW/mie1N9WF5389FfKRZh20UmltU1hS29gC2vaeJYzl9Fp5n8WEbFsUnUirY
zD5KfhJEg/t9Yr7Mzd0jsrdgwBUDAzfEoc9n58gICPRyQDjhxjc=
=a6SU
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1931-2] libgcrypt20 regression update
Next by Date: [SECURITY] [DLA 2057-1] pillow security update
Previous by thread: [SECURITY] [DLA 1931-2] libgcrypt20 regression update
Next by thread: [SECURITY] [DLA 2057-1] pillow security update
Index(es):
- Date
- Thread