Hey all, Waitress version 1.4.0 has been released, it includes several critical fixes for security issues when using Waitress behind a reverse proxy, all of them related to HTTP request smuggling/splitting which can lead to information disclosure, potential cache poisoning (if waitress is used behind a reverse proxy that is caching) or related issues.
Please see these advisories: Treatment of LF vs CRLF (CVE-2019-16785): https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p Invalid Transfer-Encoding (CVE-2019-16786): https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p Content-Length sent twice (CVE ID requested): https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6 Full release notes for the changes available on PyPI: https://pypi.org/project/waitress/1.4.0/ Before upgrading in production, please validate that the behavioural changes in Waitress do not break your existing setups. Waitress has become more strict in parsing HTTP messages and this may cause issues with clients that require the less strict behaviour, you will need to update your clients. Please do not hesitate to file issues (if not security related) on the Github issue tracker: https://github.com/Pylons/waitress/issues If you have a potential security issue in Waitress, or any Pylons Project, please do not hesitate to email us at: pylons-project-secur...@googlegroups.com Thank you, Bert JW Regeer -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-devel/491AA4EE-C4E7-45E8-8442-A5598C20A6D2%400x58.com.
