Source: waitress Version: 1.3.1-4 Severity: grave Tags: security upstream Hi,
The following vulnerabilities were published for waitress, both are fixed in new upstream version 1.4.0. CVE-2019-16785[0]: | Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 | which states: "Although the line terminator for the start-line and | header fields is the sequence CRLF, a recipient MAY recognize a single | LF as a line terminator and ignore any preceding CR." Unfortunately if | a front-end server does not parse header fields with an LF the same | way as it does those with a CRLF it can lead to the front-end and the | back-end server parsing the same HTTP message in two different ways. | This can lead to a potential for HTTP request smuggling/splitting | whereby Waitress may see two requests while the front-end server only | sees a single HTTP message. This issue is fixed in Waitress 1.4.0. CVE-2019-16786[1]: | Waitress through version 1.3.1 would parse the Transfer-Encoding | header and only look for a single string value, if that value was not | chunked it would fall through and use the Content-Length header | instead. According to the HTTP standard Transfer-Encoding should be a | comma separated list, with the inner-most encoding first, followed by | any further transfer codings, ending with chunked. Requests sent with: | "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and | the request would use a Content-Length header instead to determine the | body size of the HTTP message. This could allow for Waitress to treat | a single request as multiple requests in the case of HTTP pipelining. | This issue is fixed in Waitress 1.4.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16785 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785 [1] https://security-tracker.debian.org/tracker/CVE-2019-16786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16786 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
