Your message dated Wed, 01 Jan 2020 13:19:10 +0000
with message-id <[email protected]>
and subject line Bug#947433: fixed in waitress 1.4.1-1
has caused the Debian Bug report #947433,
regarding waitress: CVE-2019-16789
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
947433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947433
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: waitress
Version: 1.3.1-4
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for waitress, filling a
distinct bug for that as the already filled #947306 for two other CVEs
as this one is only fixed in 1.4.1 upstream.
CVE-2019-16789[0]:
| In Waitress through version 1.4.0, if a proxy server is used in front
| of waitress, an invalid request may be sent by an attacker that
| bypasses the front-end and is parsed differently by waitress leading
| to a potential for HTTP request smuggling. Specially crafted requests
| containing special whitespace characters in the Transfer-Encoding
| header would get parsed by Waitress as being a chunked request, but a
| front-end server would use the Content-Length instead as the Transfer-
| Encoding header is considered invalid due to containing invalid
| characters. If a front-end server does HTTP pipelining to a backend
| Waitress server this could lead to HTTP request splitting which may
| lead to potential cache poisoning or unexpected information
| disclosure. This issue is fixed in Waitress 1.4.1 through more strict
| HTTP field validation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
[1]
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: waitress
Source-Version: 1.4.1-1
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <[email protected]> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 01 Jan 2020 14:04:40 +0100
Source: waitress
Architecture: source
Version: 1.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Andrej Shadura <[email protected]>
Closes: 947306 947433
Changes:
waitress (1.4.1-1) unstable; urgency=medium
.
* New upstream release.
- Closes: #947306:
CVE-2019-16785: potential HTTP request smuggling/splitting
due to differences in endline parsing.
CVE-2019-16786: incorrect treatment of single requests as
multiple requests in the case of HTTP pipelining due to
the incorrect parsing of Transfer-Encoding ignoring all but
the first comma-separated header value.
- Closes: #947433:
CVE-2019-16789: potential HTTP request splitting leading
to potential cache poisoning or unexpected information
disclosure due to incorrect parsing of special whitespace
characters in the Transfer-Encoding header.
* Refresh the documentation configuration patch.
* Set Rules-Requires-Root: no
* Bump Standards-Version to 4.4.1, no changes.
* Replace dh_auto_install override with --shebang.
* Update debian/copyright.
* Use ${sphinxdoc:Built-Using}.
Checksums-Sha1:
38f18ec9dedb8c10276f191d10cf873e9df7a1bd 1878 waitress_1.4.1-1.dsc
26f2c542eccf4ab15c3fc0310a6fd2274537a42e 166315 waitress_1.4.1.orig.tar.gz
6b2d446e4a51682a3240a5c2e2cb84279b61670e 5220 waitress_1.4.1-1.debian.tar.xz
Checksums-Sha256:
f9dafca7efcb6c05801faaa54512391027478819cd3da098d12d3b490f6a44a1 1878
waitress_1.4.1-1.dsc
54dd6eadfdde8074a82598af4d8692c704cb82a0be609faa47fb76db8dd3ddca 166315
waitress_1.4.1.orig.tar.gz
95bbd7f35cbac264e7b1e2bdcb2a687425306c1c256c0c754885ca8aed4bacf4 5220
waitress_1.4.1-1.debian.tar.xz
Files:
a924a8927609b692796f80dcc194a5e1 1878 python optional waitress_1.4.1-1.dsc
097ea7590bb1cf033738682770ae3f82 166315 python optional
waitress_1.4.1.orig.tar.gz
9fafaf3ebcb4ae0753bc2767a254e12c 5220 python optional
waitress_1.4.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl4MmeAACgkQXkCM2RzY
OdJeIgf/SjVPZl8NfSEm16+DAtaDzxube6VPYquEWAYxP04CjXheBHPb20fhvln5
+Y8XGSeuKs7mxb8d2kkqCE0FKNPPinWQWQCvCw4uG/mddD4AqIb6YM5ERfmb7aJt
7n56dfBJDq35bvPtLuDsvtKZ1HBhKVl5aOedCjRSo99qS2PfL8T+wUPYh7GOfWUc
CERdIgCrJVPj0toPE7Rye2c13scoXn499yKlZ31AETWovUdDXSTKQZRKbBnK1W4I
+LqCP2hZ2c3I9SFTAkmUIn+4iodnq55TepE5/NzdbcUfF1xRW8jGidbKKvi+6FwK
u5yIBru7xgA20wEbmXLhQESNKj9E3Q==
=dHGz
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
