Your message dated Fri, 13 Jul 2012 17:32:50 +0100
with message-id <[email protected]>
and subject line Re: Bug#681471: gunicorn < 0.14.4 does not properly limit
requests size
has caused the Debian Bug report #681471,
regarding gunicorn < 0.14.4 does not properly limit requests size
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
681471: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681471
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gunicorn
Version: 0.14.3-1
Severity: grave
Tags: security fixed-upstream
gunicorn 0.14 introduced the ability to check if a request line is too
large to protect against DoS, however the implementation had the
following flaws:
* Gunicorn does not limit the size of a request header (the
limit_request_field_size configuration parameter is not used)
* When the configured request limit is lower than its maximum value, the
maximum value is used instead. For instance if limit_request_line is set
to 1024, gunicorn will only limit the request line to 4096 chars (this
issue also affects limit_request_fields)
* Request limits are not limited to their maximum authorized values. For
instance it is possible to set limit_request_line to 64K (this issue
also affects limit_request_fields)
This has been fixed upstream in 0.14.4:
https://github.com/benoitc/gunicorn/commit/d79ff999ce895e2ed0ea02aa8729e6da736dfc27
--- End Message ---
--- Begin Message ---
Version: 0.14.5-1
This bug is fixed in 0.14.5-1. Wheezy unblock request filed as #681496.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected]
`-
signature.asc
Description: PGP signature
--- End Message ---