Source: waitress Version: 2.1.1-2 Severity: important Tags: security upstream Forwarded: https://github.com/Pylons/waitress/issues/374 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for waitress. CVE-2022-31015[0]: | Waitress is a Web Server Gateway Interface server for Python 2 and 3. | Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread | closing a socket while the main thread is about to call select(). This | will lead to the main thread raising an exception that is not handled | and then causing the entire application to be killed. This issue has | been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to | close the socket. Instead, that is always delegated to the main | thread. There is no work-around for this issue. However, users using | waitress behind a reverse proxy server are less likely to have issues | if the reverse proxy always reads the full response. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31015 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31015 [1] https://github.com/Pylons/waitress/issues/374 [2] https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw [3] https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48 Please adjust the affected versions in the BTS as needed, can you confirm if the assessment that the issue is introduced in 2.1.0 upstream only? Regards, Salvatore