Debian Bug report logs -
#1008013
waitress: CVE-2022-24761
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1008013; Package src:waitress.
(Sun, 20 Mar 2022 14:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Sun, 20 Mar 2022 14:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: waitress
Version: 1.4.4-1.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for waitress.
CVE-2022-24761[0]:
| Waitress is a Web Server Gateway Interface server for Python 2 and 3.
| When using Waitress versions 2.1.0 and prior behind a proxy that does
| not properly validate the incoming HTTP request matches the RFC7230
| standard, Waitress and the frontend proxy may disagree on where one
| request starts and where it ends. This would allow requests to be
| smuggled via the front-end proxy to waitress and later behavior. There
| are two classes of vulnerability that may lead to request smuggling
| that are addressed by this advisory: The use of Python's `int()` to
| parse strings into integers, leading to `+10` to be parsed as `10`, or
| `0x01` to be parsed as `1`, where as the standard specifies that the
| string should contain only digits or hex digits; and Waitress does not
| support chunk extensions, however it was discarding them without
| validating that they did not contain illegal characters. This
| vulnerability has been patched in Waitress 2.1.1. A workaround is
| available. When deploying a proxy in front of waitress, turning on any
| and all functionality to make sure that the request matches the
| RFC7230 standard. Certain proxy servers may not have this
| functionality though and users are encouraged to upgrade to the latest
| version of waitress instead.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24761
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761
[1] https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
[2] https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Mar 21 13:09:42 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon