Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-waitress for openSUSE:Factory
checked in at 2022-03-20 20:55:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-waitress (Old)
and /work/SRC/openSUSE:Factory/.python-waitress.new.25692 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-waitress"
Sun Mar 20 20:55:09 2022 rev:24 rq:962909 version:2.1.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-waitress/python-waitress.changes
2021-11-09 23:54:07.703937885 +0100
+++
/work/SRC/openSUSE:Factory/.python-waitress.new.25692/python-waitress.changes
2022-03-20 20:55:16.258502495 +0100
@@ -1,0 +2,23 @@
+Thu Mar 17 17:42:42 UTC 2022 - Dirk M??ller <[email protected]>
+
+- update to 2.1.1 (bsc#1197255, CVE-2022-24761):
+ * Waitress now validates that chunked encoding extensions are valid, and
don???t
+ contain invalid characters that are not allowed. They are still skipped/not
+ processed, but if they contain invalid data we no longer continue in and
return
+ a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling.
+ Thanks to Zhang Zeyu for reporting this issue. See
+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+ * Waitress now validates that the chunk length is only valid hex digits when
+ parsing chunked encoding, and values such as 0x01 and +01 are no longer
+ supported. This stops potential HTTP desync/HTTP request smuggling. Thanks
+ to Zhang Zeyu for reporting this issue. See
+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+ * Waitress now validates that the Content-Length sent by a remote contains
only
+ digits in accordance with RFC7230 and will return a 400 Bad Request when
the
+ Content-Length header contains invalid data, such as +10 which would
+ previously get parsed as 10 and accepted. This stops potential HTTP
+ desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this
issue.
+ See
+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+
+-------------------------------------------------------------------
Old:
----
waitress-2.0.0.tar.gz
New:
----
waitress-2.1.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-waitress.spec ++++++
--- /var/tmp/diff_new_pack.GXgIlZ/_old 2022-03-20 20:55:17.070503663 +0100
+++ /var/tmp/diff_new_pack.GXgIlZ/_new 2022-03-20 20:55:17.078503675 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package python-waitress
+# spec file
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -33,7 +33,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-waitress%{psuffix}
-Version: 2.0.0
+Version: 2.1.1
Release: 0
Summary: Waitress WSGI server
License: ZPL-2.1
++++++ waitress-2.0.0.tar.gz -> waitress-2.1.1.tar.gz ++++++
++++ 3388 lines of diff (skipped)
