subject:"Bug#896548\: gunicorn\: CVE\-2018\-1000164"

Bug#896548: gunicorn: CVE-2018-1000164

2018-04-29 Thread Moritz Mühlenhoff

On Mon, Apr 23, 2018 at 12:41:31PM +0100, Chris Lamb wrote:
> Hi Moritz,
> 
> > > > gunicorn: CVE-2018-1000164
> > > 
> > > I've prepared an upload for jessie. Permission to upload? :)
> > 
> > Thanks, please upload.
> 
> gunicorn_19.0-1+deb8u1_amd64.changes uploaded.

Released yesterday, thanks.

Cheers,
Moritz

Bug#896548: gunicorn: CVE-2018-1000164

2018-04-23 Thread Chris Lamb

Hi Moritz,

> > > gunicorn: CVE-2018-1000164
> > 
> > I've prepared an upload for jessie. Permission to upload? :)
> 
> Thanks, please upload.

gunicorn_19.0-1+deb8u1_amd64.changes uploaded.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#896548: gunicorn: CVE-2018-1000164

2018-04-23 Thread Moritz Muehlenhoff

On Sun, Apr 22, 2018 at 10:17:28AM +0100, Chris Lamb wrote:
> Hi security team,
> 
> > gunicorn: CVE-2018-1000164
> 
> I've prepared an upload for jessie. Permission to upload? :)

Thanks, please upload.

Cheers,
Moritz

Bug#896548: gunicorn: CVE-2018-1000164

2018-04-22 Thread Chris Lamb

Hi security team,

> gunicorn: CVE-2018-1000164

I've prepared an upload for jessie. Permission to upload? :)
  
   changelog  |8 
   patches/CVE-2018-1000164.patch |   38 ++
   patches/series |1 +
   3 files changed, 47 insertions(+)
  
  diff -Nru gunicorn-19.0/debian/changelog gunicorn-19.0/debian/changelog
  --- gunicorn-19.0/debian/changelog2014-07-05 18:09:22.0 +0200
  +++ gunicorn-19.0/debian/changelog2018-04-22 11:14:10.0 +0200
  @@ -1,3 +1,11 @@
  +gunicorn (19.0-1+deb8u1) jessie-security; urgency=high
  +
  +  * CVE-2018-1000164: Fix an issue where CRLF sequences in HTTP headers could
  +result in an attacker tricking the server into returning arbitrary HTTP
  +headers. (Closes: #896548)
  +
  + -- Chris Lamb   Sun, 22 Apr 2018 11:14:07 +0200
  +
   gunicorn (19.0-1) unstable; urgency=low
   
 * New upstream release.
  diff -Nru […]
  --- gunicorn-19.0/debian/patches/CVE-2018-1000164.patch
  +++ gunicorn-19.0/debian/patches/CVE-2018-1000164.patch
  @@ -0,0 +1,38 @@
  +From: Chris Lamb 
  +Date: Sun, 22 Apr 2018 11:08:39 +0200
  +Subject: CVE-2018-1000164
  +
  +---
  + gunicorn/http/wsgi.py | 5 +
  + 1 file changed, 5 insertions(+)
  +
  +diff --git a/gunicorn/http/wsgi.py b/gunicorn/http/wsgi.py
  +index 303b890ed397..5b49dcf1795a 100644
  +--- a/gunicorn/http/wsgi.py
   b/gunicorn/http/wsgi.py
  +@@ -9,6 +9,7 @@ import os
  + import re
  + import sys
  + 
  ++from gunicorn.http.errors import InvalidHeader
  + from gunicorn.six import unquote_to_wsgi_str, string_types, binary_type, 
reraise
  + from gunicorn import SERVER_SOFTWARE
  + import gunicorn.six as six
  +@@ -23,6 +24,7 @@ except ImportError:
  + except ImportError:
  + sendfile = None
  + 
  ++HEADER_VALUE_RE = re.compile(r"[\x07\x1B\f\n\r\t\v]")
  + NORMALIZE_SPACE = re.compile(r'(?:\r\n)?[ \t]+')
  + 
  + log = logging.getLogger(__name__)
  +@@ -256,6 +258,9 @@ class Response(object):
  + for name, value in headers:
  + assert isinstance(name, string_types), "%r is not a string" % 
name
  + 
  ++if HEADER_VALUE_RE.search(value):
  ++raise InvalidHeader('%r' % value)
  ++
  + value = str(value).strip()
  + lname = name.lower().strip()
  + if lname == "content-length":
  diff -Nru gunicorn-19.0/debian/patches/series 
gunicorn-19.0/debian/patches/series
  --- gunicorn-19.0/debian/patches/series   2014-07-05 18:09:22.0 
+0200
  +++ gunicorn-19.0/debian/patches/series   2018-04-22 11:14:10.0 
+0200
  @@ -1 +1,2 @@
   0001-drop-supplemental-groups.patch
  +CVE-2018-1000164.patch

Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#896548: gunicorn: CVE-2018-1000164

2018-04-22 Thread Chris Lamb

Package: gunicorn
Version: 0.14.5-3+deb7u1
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for gunicorn.

CVE-2018-1000164[0]:
| gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of
| CRLF Sequences in HTTP Headers vulnerability in "process_headers"
| function in "gunicorn/http/wsgi.py" that can result in an attacker
| causing the server to return arbitrary HTTP headers. This
| vulnerability appears to have been fixed in 19.5.0.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000164


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#896548: gunicorn: CVE-2018-1000164

Bug#896548: gunicorn: CVE-2018-1000164

Bug#896548: gunicorn: CVE-2018-1000164

Bug#896548: gunicorn: CVE-2018-1000164

Bug#896548: gunicorn: CVE-2018-1000164

5 matches

Site Navigation

Mail list logo

Footer information