Your message dated Wed, 01 Jan 2020 13:19:10 +0000 with message-id <e1imdu2-0001jl...@fasolo.debian.org> and subject line Bug#947306: fixed in waitress 1.4.1-1 has caused the Debian Bug report #947306, regarding waitress: CVE-2019-16785 CVE-2019-16786 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: waitress Version: 1.3.1-4 Severity: grave Tags: security upstream Hi, The following vulnerabilities were published for waitress, both are fixed in new upstream version 1.4.0. CVE-2019-16785[0]: | Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 | which states: "Although the line terminator for the start-line and | header fields is the sequence CRLF, a recipient MAY recognize a single | LF as a line terminator and ignore any preceding CR." Unfortunately if | a front-end server does not parse header fields with an LF the same | way as it does those with a CRLF it can lead to the front-end and the | back-end server parsing the same HTTP message in two different ways. | This can lead to a potential for HTTP request smuggling/splitting | whereby Waitress may see two requests while the front-end server only | sees a single HTTP message. This issue is fixed in Waitress 1.4.0. CVE-2019-16786[1]: | Waitress through version 1.3.1 would parse the Transfer-Encoding | header and only look for a single string value, if that value was not | chunked it would fall through and use the Content-Length header | instead. According to the HTTP standard Transfer-Encoding should be a | comma separated list, with the inner-most encoding first, followed by | any further transfer codings, ending with chunked. Requests sent with: | "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and | the request would use a Content-Length header instead to determine the | body size of the HTTP message. This could allow for Waitress to treat | a single request as multiple requests in the case of HTTP pipelining. | This issue is fixed in Waitress 1.4.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16785 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785 [1] https://security-tracker.debian.org/tracker/CVE-2019-16786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16786 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: waitress Source-Version: 1.4.1-1 We believe that the bug you reported is fixed in the latest version of waitress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 947...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrej Shadura <andre...@debian.org> (supplier of updated waitress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 01 Jan 2020 14:04:40 +0100 Source: waitress Architecture: source Version: 1.4.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Andrej Shadura <andre...@debian.org> Closes: 947306 947433 Changes: waitress (1.4.1-1) unstable; urgency=medium . * New upstream release. - Closes: #947306: CVE-2019-16785: potential HTTP request smuggling/splitting due to differences in endline parsing. CVE-2019-16786: incorrect treatment of single requests as multiple requests in the case of HTTP pipelining due to the incorrect parsing of Transfer-Encoding ignoring all but the first comma-separated header value. - Closes: #947433: CVE-2019-16789: potential HTTP request splitting leading to potential cache poisoning or unexpected information disclosure due to incorrect parsing of special whitespace characters in the Transfer-Encoding header. * Refresh the documentation configuration patch. * Set Rules-Requires-Root: no * Bump Standards-Version to 4.4.1, no changes. * Replace dh_auto_install override with --shebang. * Update debian/copyright. * Use ${sphinxdoc:Built-Using}. Checksums-Sha1: 38f18ec9dedb8c10276f191d10cf873e9df7a1bd 1878 waitress_1.4.1-1.dsc 26f2c542eccf4ab15c3fc0310a6fd2274537a42e 166315 waitress_1.4.1.orig.tar.gz 6b2d446e4a51682a3240a5c2e2cb84279b61670e 5220 waitress_1.4.1-1.debian.tar.xz Checksums-Sha256: f9dafca7efcb6c05801faaa54512391027478819cd3da098d12d3b490f6a44a1 1878 waitress_1.4.1-1.dsc 54dd6eadfdde8074a82598af4d8692c704cb82a0be609faa47fb76db8dd3ddca 166315 waitress_1.4.1.orig.tar.gz 95bbd7f35cbac264e7b1e2bdcb2a687425306c1c256c0c754885ca8aed4bacf4 5220 waitress_1.4.1-1.debian.tar.xz Files: a924a8927609b692796f80dcc194a5e1 1878 python optional waitress_1.4.1-1.dsc 097ea7590bb1cf033738682770ae3f82 166315 python optional waitress_1.4.1.orig.tar.gz 9fafaf3ebcb4ae0753bc2767a254e12c 5220 python optional waitress_1.4.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl4MmeAACgkQXkCM2RzY OdJeIgf/SjVPZl8NfSEm16+DAtaDzxube6VPYquEWAYxP04CjXheBHPb20fhvln5 +Y8XGSeuKs7mxb8d2kkqCE0FKNPPinWQWQCvCw4uG/mddD4AqIb6YM5ERfmb7aJt 7n56dfBJDq35bvPtLuDsvtKZ1HBhKVl5aOedCjRSo99qS2PfL8T+wUPYh7GOfWUc CERdIgCrJVPj0toPE7Rye2c13scoXn499yKlZ31AETWovUdDXSTKQZRKbBnK1W4I +LqCP2hZ2c3I9SFTAkmUIn+4iodnq55TepE5/NzdbcUfF1xRW8jGidbKKvi+6FwK u5yIBru7xgA20wEbmXLhQESNKj9E3Q== =dHGz -----END PGP SIGNATURE-----
--- End Message ---
