Hi security team,
> gunicorn: CVE-2018-1000164
I've prepared an upload for jessie. Permission to upload? :)
changelog |8
patches/CVE-2018-1000164.patch | 38 ++
patches/series |1 +
3 files changed, 47 insertions(+)
diff -Nru gunicorn-19.0/debian/changelog gunicorn-19.0/debian/changelog
--- gunicorn-19.0/debian/changelog2014-07-05 18:09:22.0 +0200
+++ gunicorn-19.0/debian/changelog2018-04-22 11:14:10.0 +0200
@@ -1,3 +1,11 @@
+gunicorn (19.0-1+deb8u1) jessie-security; urgency=high
+
+ * CVE-2018-1000164: Fix an issue where CRLF sequences in HTTP headers could
+result in an attacker tricking the server into returning arbitrary HTTP
+headers. (Closes: #896548)
+
+ -- Chris Lamb Sun, 22 Apr 2018 11:14:07 +0200
+
gunicorn (19.0-1) unstable; urgency=low
* New upstream release.
diff -Nru […]
--- gunicorn-19.0/debian/patches/CVE-2018-1000164.patch
+++ gunicorn-19.0/debian/patches/CVE-2018-1000164.patch
@@ -0,0 +1,38 @@
+From: Chris Lamb
+Date: Sun, 22 Apr 2018 11:08:39 +0200
+Subject: CVE-2018-1000164
+
+---
+ gunicorn/http/wsgi.py | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/gunicorn/http/wsgi.py b/gunicorn/http/wsgi.py
+index 303b890ed397..5b49dcf1795a 100644
+--- a/gunicorn/http/wsgi.py
b/gunicorn/http/wsgi.py
+@@ -9,6 +9,7 @@ import os
+ import re
+ import sys
+
++from gunicorn.http.errors import InvalidHeader
+ from gunicorn.six import unquote_to_wsgi_str, string_types, binary_type,
reraise
+ from gunicorn import SERVER_SOFTWARE
+ import gunicorn.six as six
+@@ -23,6 +24,7 @@ except ImportError:
+ except ImportError:
+ sendfile = None
+
++HEADER_VALUE_RE = re.compile(r"[\x07\x1B\f\n\r\t\v]")
+ NORMALIZE_SPACE = re.compile(r'(?:\r\n)?[ \t]+')
+
+ log = logging.getLogger(__name__)
+@@ -256,6 +258,9 @@ class Response(object):
+ for name, value in headers:
+ assert isinstance(name, string_types), "%r is not a string" %
name
+
++if HEADER_VALUE_RE.search(value):
++raise InvalidHeader('%r' % value)
++
+ value = str(value).strip()
+ lname = name.lower().strip()
+ if lname == "content-length":
diff -Nru gunicorn-19.0/debian/patches/series
gunicorn-19.0/debian/patches/series
--- gunicorn-19.0/debian/patches/series 2014-07-05 18:09:22.0
+0200
+++ gunicorn-19.0/debian/patches/series 2018-04-22 11:14:10.0
+0200
@@ -1 +1,2 @@
0001-drop-supplemental-groups.patch
+CVE-2018-1000164.patch
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-