[SECURITY] [DLA 2056-1] waitress security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : waitress
Version : 0.8.9-2+deb8u1
Debian Bug : #765126
It was discovered that there was a HTTP request smuggling
vulnerability in waitress, pure-Python WSGI server.
If a proxy server is used in front of waitress, an invalid request
may be sent by an attacker that bypasses the front-end and is parsed
differently by waitress leading to a potential for request smuggling.
Specially crafted requests containing special whitespace characters
in the Transfer-Encoding header would get parsed by Waitress as being
a chunked request, but a front-end server would use the
Content-Length instead as the Transfer-Encoding header is considered
invalid due to containing invalid characters. If a front-end server
does HTTP pipelining to a backend Waitress server this could lead to
HTTP request splitting which may lead to potential cache poisoning or
information disclosure.
For Debian 8 "Jessie", this issue has been fixed in waitress version
0.8.9-2+deb8u1.
We recommend that you upgrade your waitress packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Regards,
- --
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4MpCkACgkQHpU+J9Qx
HlgiDBAAqTn8jF9NkZKCSMyMZsW+Wb4DazHGkEmzl1Uf/u9padPzIo5WKYkuFT3F
AaLaGou8k9DdMZ3i7e9KSZw31vBcyj7oSVaFKBU/SUklC/V5BB8BMhecd+9fPZw8
sk+j7Nm+0iK+ah///RWpm4oG+CfXPXHqeit74pJt02a1mc0DU2cJcMerKkKmeQc7
aD8PlWeTLDO361sJLR9v/5djyEm9Eo6pP7fc7ueMAoPQjS3xxxwUzLBhOEZnWGek
1LS9cwRG4mzfNN8e8GW7cXKqD373iEKBr9o97M6sxwkC4YXrIAzPMcQHo4oJh+Yp
x3rOyxibwJlRpp+gftIjKNGg7SZ3/MFrjtyikLkKz/Q9abLPBrRhLlYSthWVt26b
nbd2s9XVMwqcnKBQj90LZGGB2oudKvL0xdkd8q24NLd/7iPSVVF7Oc4x3iHtjiYv
udTrhcLg+PYpqYKVa0bxXcO65q0PFZkAR7yQHuwPATPSu9HdhRezDjip9GPBrcMr
uOqKpVHGznTTpwDuRDgKd8QaTSnkf1Mn1b/qhOFRqfnnrsLXebZPgqLoMSNzbRRU
aDQ+CW/mie1N9WF5389FfKRZh20UmltU1hS29gC2vaeJYzl9Fp5n8WEbFsUnUirY
zD5KfhJEg/t9Yr7Mzd0jsrdgwBUDAzfEoc9n58gICPRyQDjhxjc=
=a6SU
-----END PGP SIGNATURE-----
Reply to: