Your message dated Fri, 22 Aug 2025 15:32:54 +0000
with message-id <[email protected]>
and subject line Bug#1086467: fixed in waitress 2.1.2-2+deb12u1
has caused the Debian Bug report #1086467,
regarding waitress: CVE-2024-49768: Request processing race condition in HTTP
pipelining with invalid first request
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1086467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086467
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: waitress
Version: 3.0.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.1.2-2
Hi,
The following vulnerability was published for waitress.
CVE-2024-49768[0]:
| Waitress is a Web Server Gateway Interface server for Python 2 and
| 3. A remote client may send a request that is exactly recv_bytes
| (defaults to 8192) long, followed by a secondary request using HTTP
| pipelining. When request lookahead is disabled (default) we won't
| read any more requests, and when the first request fails due to a
| parsing error, we simply close the connection. However when request
| lookahead is enabled, it is possible to process and receive the
| first request, start sending the error message back to the client
| while we read the next request and queue it. This will allow the
| secondary request to be serviced by the worker thread while the
| connection should be closed. Waitress 3.0.1 fixes the race
| condition. As a workaround, disable channel_request_lookahead, this
| is set to 0 by default disabling this feature.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-49768
https://www.cve.org/CVERecord?id=CVE-2024-49768
[1] https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: waitress
Source-Version: 2.1.2-2+deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 20 Aug 2025 18:31:13 +0300
Source: waitress
Architecture: source
Version: 2.1.2-2+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1086467 1086468
Changes:
waitress (2.1.2-2+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2024-49768: race condition in HTTP pipelining
(Closes: #1086467)
* CVE-2024-49769: DoS due to resource exhaustion
(Closes: #1086468)
Checksums-Sha1:
56bc868af072450c4e4979ac96af4f3af249e564 2299 waitress_2.1.2-2+deb12u1.dsc
f7521481bee6e99b5044da3c77999aa5902c61a7 175032 waitress_2.1.2.orig.tar.gz
9296f71c32a56d86acda6cb4b5e40bd5af40522f 12716
waitress_2.1.2-2+deb12u1.debian.tar.xz
Checksums-Sha256:
c8079d218b87a5f808af7a8f87c05379ce1fe90c33c2125a08c707b0c9f0aa12 2299
waitress_2.1.2-2+deb12u1.dsc
2de9b24b8097c82535aa6f512d9c93096c51affd22cb640342c21761a5b38873 175032
waitress_2.1.2.orig.tar.gz
8c49f2afbc23ff6ecd24f825d45e32e3e3c1a2c155d43487072866cf6bc31bc3 12716
waitress_2.1.2-2+deb12u1.debian.tar.xz
Files:
dc068fe0a135befe86750aa174da6900 2299 python optional
waitress_2.1.2-2+deb12u1.dsc
7e638718297970d1d3f37e48f225a082 175032 python optional
waitress_2.1.2.orig.tar.gz
ad6ab8215dcda4a2a4cb3e5ed0c43b1f 12716 python optional
waitress_2.1.2-2+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmil7ZEACgkQiNJCh6LY
mLHqEA//cMZVI9mDD1eh6rCQ5hTIxNXYMijSQm4wvwtbXBAKluS4whq4qqEv2OEX
8C7LclRuuJH1t/VYyPym1jSRU/opWIDd6paMAss5bvOUhWp8i2aW2VH05Gg4siPJ
xowEGPBbPcs/0wzOadWkmCczRho7lDKT8c5TMDfHmQGFEXcVtIZ6+m/vFhnKt9r5
uKkgza2JlT93l5nN29NGoVGAgBPM1UZW0/hS92GQJvblkJ0SkwATBL1irZKodbaO
JOfIEL0r4ILTs5yD8jGMASXW0+AhHpxILQq2JUb1BGpjFpgkMAxiNxa1ThINd0BB
nBsdRkx5xrNrdX6pdCFvp7TKIZC5sTn1PGcHV4q/MVWGggVZ1re3jAqMsqHG8y6l
NI53Gzos7bwE9noKMMOZIl/CqMTLWFfn8eJTx3Vt/rEGO9Zxz5f6aPAtRRiNjYp+
h4y1MylbyTxBuwTOifku/5Qh2EEzQLRjdYvSBs3tqqGwlNGA/s0P5sn3Ph3Iu34U
8I4EvLu+b8ZSEWUFtwmlVuDwvwOL9XfEb1SSTgXQtSvcD6mrZen9JOdDSE7LbDpi
VYefKaU/xOuRKCMbjWv9EflicYDh+JeM7YoEhEal2wUvJWk0lka8vNLTGl3+b7Cz
7JOb1qc+8nafwBrTII679JPd2pS4vtNhPslA5ki9mKVJ0nb/Q6U=
=hLpA
-----END PGP SIGNATURE-----
pgp11pCId620w.pgp
Description: PGP signature
--- End Message ---
