Your message dated Mon, 30 Apr 2018 13:17:40 +0000
with message-id <[email protected]>
and subject line Bug#896548: fixed in gunicorn 19.0-1+deb8u1
has caused the Debian Bug report #896548,
regarding gunicorn: CVE-2018-1000164
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
896548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896548
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gunicorn
Version: 0.14.5-3+deb7u1
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for gunicorn.
CVE-2018-1000164[0]:
| gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of
| CRLF Sequences in HTTP Headers vulnerability in "process_headers"
| function in "gunicorn/http/wsgi.py" that can result in an attacker
| causing the server to return arbitrary HTTP headers. This
| vulnerability appears to have been fixed in 19.5.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000164
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: gunicorn
Source-Version: 19.0-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
gunicorn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated gunicorn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 22 Apr 2018 11:14:07 +0200
Source: gunicorn
Binary: gunicorn
Architecture: source all
Version: 19.0-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Chris Lamb <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Description:
gunicorn - Event-based HTTP/WSGI server
Closes: 896548
Changes:
gunicorn (19.0-1+deb8u1) jessie-security; urgency=high
.
* CVE-2018-1000164: Fix an issue where CRLF sequences in HTTP headers could
result in an attacker tricking the server into returning arbitrary HTTP
headers. (Closes: #896548)
Checksums-Sha1:
884a6ca6852b96128b8b927f008e440cc891abe3 1881 gunicorn_19.0-1+deb8u1.dsc
632a06634b6796a9976208e7997c80e06e2587c5 385165 gunicorn_19.0.orig.tar.gz
1be42a8ac5e134c944700afec96982ade04bed68 10184
gunicorn_19.0-1+deb8u1.debian.tar.xz
499ede5fa925452f9ca42313cfd690fe8e25f1bf 131416 gunicorn_19.0-1+deb8u1_all.deb
Checksums-Sha256:
90e4e1e39e2ef21f89905c383e94c79febcd6374c92bf8f2f729162eca22e722 1881
gunicorn_19.0-1+deb8u1.dsc
9c277c1c10e914d648f2cb8b5245a23ff0289255e195f74e96117e944e1b087f 385165
gunicorn_19.0.orig.tar.gz
de18bd4947b3883cc3bfdc5da51269ea9750c2d145aa27150da4530909e82fb6 10184
gunicorn_19.0-1+deb8u1.debian.tar.xz
23e7e0b3b820dbce0ff21ba89a8df824be5b08e429a51756a10e5d5aab5c6676 131416
gunicorn_19.0-1+deb8u1_all.deb
Files:
81b9da552cb2e3c2cf3a8cc230fd01bc 1881 python optional
gunicorn_19.0-1+deb8u1.dsc
ad158eb9b5e8f74b223c0ccfba7dae8f 385165 python optional
gunicorn_19.0.orig.tar.gz
d71207821f721807f8265c67e89f3da9 10184 python optional
gunicorn_19.0-1+deb8u1.debian.tar.xz
4f44afeb19ceb24449659e002b352669 131416 python optional
gunicorn_19.0-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlrdxikACgkQHpU+J9Qx
HliH2w//eXKK9RHUXhaTXmvJ43eZS8/GHpQhZTJ/OtAuUehpMz1bAiNvbuFwf69V
nYvPkR6TMiek/Dhm9ue9IeieCh+WJ+E6lMDTFu/qaGgiIyzWUcqPfzA08TpCmyAx
ltdvcFvSNNv2CP0fZjajxgAXxE6uh8cIcIsKkj0ocwGHFi/48rWYgqhIIyNn9sG0
UHDLxcIQCoZCTNytn75ZBUSK1t2KMMKHeM7ovD36Sixgg08QfXnu5bySsfq5QEEY
4YdaZ72GBZHvsxvSGWm6aubLG22YqQlQmMaOyV1O93F3AOhL7uAqfE0QouYKyfDx
HfuHV8gGzNScDIgMeszV9VpNwQLyVn5sjDWCbDym5R4cdDxSr6bwzQjCWTmJwIro
edAkfLOGhpK6VbDNLNmEOfC25WccHkHWk7NbObtzlCVJHgAaSl0A7WCcQumUgamD
uL080rBPPzrPlaU2RzhroNAK0p7yhTc2OSbhc0iJuNLZsQWNsV+B3W58bF/uKpZ5
HX+RsxjlO0ai8HWZdL8Y/bQFFBWhPtH7+u6XTDoh3i5J97Ueuv1xquissaQoTnev
cTWLWOxc1kEX8RzFbtpvMAATHavHWDw0cidynz1b7AMFcGltx7uZ29V6e2XebnBe
VKZmPelr+GhoR+RLxMQJCL0Hpyr4/0SVdeUUd2apZN10K5AFW7o=
=00kJ
-----END PGP SIGNATURE-----
--- End Message ---
