Source: waitress Version: 3.0.0-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.1.2-2
Hi, The following vulnerability was published for waitress. CVE-2024-49768[0]: | Waitress is a Web Server Gateway Interface server for Python 2 and | 3. A remote client may send a request that is exactly recv_bytes | (defaults to 8192) long, followed by a secondary request using HTTP | pipelining. When request lookahead is disabled (default) we won't | read any more requests, and when the first request fails due to a | parsing error, we simply close the connection. However when request | lookahead is enabled, it is possible to process and receive the | first request, start sending the error message back to the client | while we read the next request and queue it. This will allow the | secondary request to be serviced by the worker thread while the | connection should be closed. Waitress 3.0.1 fixes the race | condition. As a workaround, disable channel_request_lookahead, this | is set to 0 by default disabling this feature. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-49768 https://www.cve.org/CVERecord?id=CVE-2024-49768 [1] https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj Regards, Salvatore
