Hey all, As a heads up, and to allow for tracking security issues, this issue has now been assigned CVE ID: CVE-2020-5236
Thanks, Bert JW Regeer > On Feb 2, 2020, at 21:59, Bert JW Regeer <xiste...@0x58.com> wrote: > > Hey all, > > I just released a new version of Waitress to fix a bug in the regular > expression that was used to parse the HTTP headers. The bug would allow for > catastrophic backtracking which would cause the waitress process to spend > 100% CPU time in attempting to match the regular expression. > > Thanks to Fil Zembowicz for reporting this issue! > > pip install waitress==1.4.3 > > For more information: > > https://pypi.org/project/waitress/1.4.3/ > https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc > > Have questions or comments about this advisory, feel free to reply to this > email, or: > > • open an issue at https://github.com/Pylons/waitress/issues (if not > sensitive or security related) > • email the Pylons Security mailing list: > pylons-project-secur...@googlegroups.com (if security related) > > Thank you, > Bert JW Regeer > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/008E12B6-7A1C-405B-99ED-5DF7F4F6C00F%400x58.com. -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-devel/59DEE04F-113E-4FA0-9149-9290AF6B1CDE%400x58.com.