Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-waitress for openSUSE:Factory checked in at 2022-03-20 20:55:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-waitress (Old) and /work/SRC/openSUSE:Factory/.python-waitress.new.25692 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-waitress" Sun Mar 20 20:55:09 2022 rev:24 rq:962909 version:2.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-waitress/python-waitress.changes 2021-11-09 23:54:07.703937885 +0100 +++ /work/SRC/openSUSE:Factory/.python-waitress.new.25692/python-waitress.changes 2022-03-20 20:55:16.258502495 +0100 @@ -1,0 +2,23 @@ +Thu Mar 17 17:42:42 UTC 2022 - Dirk M??ller <dmuel...@suse.com> + +- update to 2.1.1 (bsc#1197255, CVE-2022-24761): + * Waitress now validates that chunked encoding extensions are valid, and don???t + contain invalid characters that are not allowed. They are still skipped/not + processed, but if they contain invalid data we no longer continue in and return + a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling. + Thanks to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + * Waitress now validates that the chunk length is only valid hex digits when + parsing chunked encoding, and values such as 0x01 and +01 are no longer + supported. This stops potential HTTP desync/HTTP request smuggling. Thanks + to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + * Waitress now validates that the Content-Length sent by a remote contains only + digits in accordance with RFC7230 and will return a 400 Bad Request when the + Content-Length header contains invalid data, such as +10 which would + previously get parsed as 10 and accepted. This stops potential HTTP + desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. + See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + +------------------------------------------------------------------- Old: ---- waitress-2.0.0.tar.gz New: ---- waitress-2.1.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-waitress.spec ++++++ --- /var/tmp/diff_new_pack.GXgIlZ/_old 2022-03-20 20:55:17.070503663 +0100 +++ /var/tmp/diff_new_pack.GXgIlZ/_new 2022-03-20 20:55:17.078503675 +0100 @@ -1,7 +1,7 @@ # -# spec file for package python-waitress +# spec file # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,7 +33,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-waitress%{psuffix} -Version: 2.0.0 +Version: 2.1.1 Release: 0 Summary: Waitress WSGI server License: ZPL-2.1 ++++++ waitress-2.0.0.tar.gz -> waitress-2.1.1.tar.gz ++++++ ++++ 3388 lines of diff (skipped)