Debian Bug report logs -
#1012315
waitress: CVE-2022-31015
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
:
Bug#1012315
; Package src:waitress
.
(Fri, 03 Jun 2022 19:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
.
(Fri, 03 Jun 2022 19:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: waitress
Version: 2.1.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/Pylons/waitress/issues/374
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for waitress.
CVE-2022-31015[0]:
| Waitress is a Web Server Gateway Interface server for Python 2 and 3.
| Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread
| closing a socket while the main thread is about to call select(). This
| will lead to the main thread raising an exception that is not handled
| and then causing the entire application to be killed. This issue has
| been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to
| close the socket. Instead, that is always delegated to the main
| thread. There is no work-around for this issue. However, users using
| waitress behind a reverse proxy server are less likely to have issues
| if the reverse proxy always reads the full response.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31015
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31015
[1] https://github.com/Pylons/waitress/issues/374
[2] https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw
[3] https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48
Please adjust the affected versions in the BTS as needed, can you
confirm if the assessment that the issue is introduced in 2.1.0
upstream only?
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jun 4 13:13:29 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.