Source: waitress Version: 1.4.4-1.1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for waitress. CVE-2022-24761[0]: | Waitress is a Web Server Gateway Interface server for Python 2 and 3. | When using Waitress versions 2.1.0 and prior behind a proxy that does | not properly validate the incoming HTTP request matches the RFC7230 | standard, Waitress and the frontend proxy may disagree on where one | request starts and where it ends. This would allow requests to be | smuggled via the front-end proxy to waitress and later behavior. There | are two classes of vulnerability that may lead to request smuggling | that are addressed by this advisory: The use of Python's `int()` to | parse strings into integers, leading to `+10` to be parsed as `10`, or | `0x01` to be parsed as `1`, where as the standard specifies that the | string should contain only digits or hex digits; and Waitress does not | support chunk extensions, however it was discarding them without | validating that they did not contain illegal characters. This | vulnerability has been patched in Waitress 2.1.1. A workaround is | available. When deploying a proxy in front of waitress, turning on any | and all functionality to make sure that the request matches the | RFC7230 standard. Certain proxy servers may not have this | functionality though and users are encouraged to upgrade to the latest | version of waitress instead. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761 [1] https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 [2] https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore