Your message dated Sat, 12 Nov 2022 21:11:29 +0000
with message-id <[email protected]>
and subject line Bug#1012315: fixed in waitress 2.1.2-1
has caused the Debian Bug report #1012315,
regarding waitress: CVE-2022-31015
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1012315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012315
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: waitress
Version: 2.1.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/Pylons/waitress/issues/374
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for waitress.
CVE-2022-31015[0]:
| Waitress is a Web Server Gateway Interface server for Python 2 and 3.
| Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread
| closing a socket while the main thread is about to call select(). This
| will lead to the main thread raising an exception that is not handled
| and then causing the entire application to be killed. This issue has
| been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to
| close the socket. Instead, that is always delegated to the main
| thread. There is no work-around for this issue. However, users using
| waitress behind a reverse proxy server are less likely to have issues
| if the reverse proxy always reads the full response.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31015
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31015
[1] https://github.com/Pylons/waitress/issues/374
[2] https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw
[3]
https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48
Please adjust the affected versions in the BTS as needed, can you
confirm if the assessment that the issue is introduced in 2.1.0
upstream only?
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: waitress
Source-Version: 2.1.2-1
Done: Carsten Schoenert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Schoenert <[email protected]> (supplier of updated waitress
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Nov 2022 21:14:43 +0100
Source: waitress
Architecture: source
Version: 2.1.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Carsten Schoenert <[email protected]>
Closes: 1012315
Changes:
waitress (2.1.2-1) unstable; urgency=medium
.
* Team Upload.
* d/gbp.conf: Add a basic default configuration
* d/README.source: Add basic information about package
* d/README.Debian: Drop that file
* d/watch: Update watch mode to look out git tags
* New upstream version 2.1.2
Resolves CVE-2022-31015 (Closes: #1012315)
* Rebuild patch queue from patch-queue branch
Added patch:
docs-Use-internal-ressources-for-intersphinx.patch
Renamed patch:
01-fix-sphinxdoc-conf.patch
-> docs-Don-t-try-to-detect-the-version-don-t-use-Pylons-the.patch
* d/control: Remove Built-Using ${sphinxdoc:Built-Using}
The -doc package isn't from type arch all.
* d/control: Add python3-doc to Build-Depends
That is used for intersphinx integration in the -doc package.
* d/{control,rules}: Move over to dh-sequence-python3
* documentation: Build HTML documentation by dh_sphinxdoc
* autopkgtest: Small adjustment to testing call
Checksums-Sha1:
560409d0f1d978af4394b0b74df63c7e0a602495 2244 waitress_2.1.2-1.dsc
f7521481bee6e99b5044da3c77999aa5902c61a7 175032 waitress_2.1.2.orig.tar.gz
fddc8619bed2fd5acd39e0d605c85d8877338a9d 7732 waitress_2.1.2-1.debian.tar.xz
65ab2adadc82141429570d46048c83b0b8a33de3 8727 waitress_2.1.2-1_amd64.buildinfo
Checksums-Sha256:
3dce5b05061b446385dc93a47463e6c823de08f3eabd5d3d675c5046649dd1db 2244
waitress_2.1.2-1.dsc
2de9b24b8097c82535aa6f512d9c93096c51affd22cb640342c21761a5b38873 175032
waitress_2.1.2.orig.tar.gz
b254c9be4204dd1ad02cfb305c16dbe47a524adccdf1e72896e434c765aa5343 7732
waitress_2.1.2-1.debian.tar.xz
0b42ca3bd96d7e7702bdf70c36deabec5f0fe64591d824d69298a4ca58d167bb 8727
waitress_2.1.2-1_amd64.buildinfo
Files:
a3cd52e4d32b99c15d6f33b3c8fb799f 2244 python optional waitress_2.1.2-1.dsc
7e638718297970d1d3f37e48f225a082 175032 python optional
waitress_2.1.2.orig.tar.gz
1d0f3bf2bcb47c7b66c7a285da30487f 7732 python optional
waitress_2.1.2-1.debian.tar.xz
05a7a6c46f226a5a28713a9f3f590ebf 8727 python optional
waitress_2.1.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmNwAf0ACgkQgwFgFCUd
HbAJqg/9GLx5QtrhFMbMK9/gt8+Mqljfa3LSTCTd/cuqQoxLpljjAOc8+9xMXaqm
fwloM8FYr/kF/Dg+zUSuQ8e30JdxlrrYmQmplydPGUAm89xxk/8tAbtfZjFmHV5Z
wRKdnuTpYdjerh8P5jDYy2GQlKvUD/Co525ZO6kLxBwUaBbKXxbnOly7friXu2s/
lIQbdKiFDK860Q1F7GHsUOdpwjrcv6LJO/aPeR4zzn3EvDq4rulj+1He7DGwEojj
juKtEi9CBy75WqSLYhzgBSmdOh2Q+sfCaekg48zLdXXcXXHMug5SiaqY4/ABLuD0
BkEXBPwp6sJTThwxdhi5tQnrTMKjq8eFuac3BPBaSPdQQEUE2ZtLA/KbDMFTEod8
dQ/43YR3K78x6M1zilHhE8SyKsHYa9bBdznaaOIIi/dTGvWpjWB4Z1QbakDT0tds
9famKHbtwk3XmeQqc8rZcnFK+0ecYFif38jK8EfXsBugPCJUl69tXgRT6tGfrU2s
QrAREhQVv02OZAPRye3xXDxBd9slTDBZ7YyloWk8rJYofvw6X4zTS0Xbd+LQmI8a
7tVxKQV1hbi5YyD9lwRHoLBSt+JqK4BYI9E52BytNydhky2prhHPBtoYlnqjVEbt
xFjNwAr2fs+TmSS6f4m92b7wZM35yOATJ/65Gdsq9r9RTyq/sts=
=qZ95
-----END PGP SIGNATURE-----
--- End Message ---
