waitress: CVE-2019-16789

Debian Bug report logs - #947433
waitress: CVE-2019-16789

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: waitress: CVE-2019-16789

Date: Thu, 26 Dec 2019 22:21:12 +0100

Source: waitress
Version: 1.3.1-4
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for waitress, filling a
distinct bug for that as the already filled #947306 for two other CVEs
as this one is only fixed in 1.4.1 upstream.

CVE-2019-16789[0]:
| In Waitress through version 1.4.0, if a proxy server is used in front
| of waitress, an invalid request may be sent by an attacker that
| bypasses the front-end and is parsed differently by waitress leading
| to a potential for HTTP request smuggling. Specially crafted requests
| containing special whitespace characters in the Transfer-Encoding
| header would get parsed by Waitress as being a chunked request, but a
| front-end server would use the Content-Length instead as the Transfer-
| Encoding header is considered invalid due to containing invalid
| characters. If a front-end server does HTTP pipelining to a backend
| Waitress server this could lead to HTTP request splitting which may
| lead to potential cache poisoning or unexpected information
| disclosure. This issue is fixed in Waitress 1.4.1 through more strict
| HTTP field validation.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-16789
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
[1] https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Send a report that this bug log contains spam.