Your message dated Tue, 10 May 2022 01:19:29 +0000
with message-id <[email protected]>
and subject line Bug#1008013: fixed in waitress 2.1.1-1
has caused the Debian Bug report #1008013,
regarding waitress: CVE-2022-24761
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1008013: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008013
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: waitress
Version: 1.4.4-1.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for waitress.
CVE-2022-24761[0]:
| Waitress is a Web Server Gateway Interface server for Python 2 and 3.
| When using Waitress versions 2.1.0 and prior behind a proxy that does
| not properly validate the incoming HTTP request matches the RFC7230
| standard, Waitress and the frontend proxy may disagree on where one
| request starts and where it ends. This would allow requests to be
| smuggled via the front-end proxy to waitress and later behavior. There
| are two classes of vulnerability that may lead to request smuggling
| that are addressed by this advisory: The use of Python's `int()` to
| parse strings into integers, leading to `+10` to be parsed as `10`, or
| `0x01` to be parsed as `1`, where as the standard specifies that the
| string should contain only digits or hex digits; and Waitress does not
| support chunk extensions, however it was discarding them without
| validating that they did not contain illegal characters. This
| vulnerability has been patched in Waitress 2.1.1. A workaround is
| available. When deploying a proxy in front of waitress, turning on any
| and all functionality to make sure that the request matches the
| RFC7230 standard. Certain proxy servers may not have this
| functionality though and users are encouraged to upgrade to the latest
| version of waitress instead.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24761
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761
[1] https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
[2]
https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: waitress
Source-Version: 2.1.1-1
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 09 May 2022 20:51:31 -0400
Source: waitress
Architecture: source
Version: 2.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1008013
Changes:
waitress (2.1.1-1) unstable; urgency=medium
.
[ Stefano Rivera ]
* Team upload.
* New upstream release.
- Resolves CVE-2022-24761 (Closes: #1008013)
* Build with pybuild's pyproject plugin.
* Run test suite at build time.
* Run test suite in autopkgtests.
* Bump Standards-Version to 4.6.0, no changes needed.
* Bump watch file version to 4.
* Update 01-fix-sphinxdoc-conf.patch to determine the upstream version from
the Debian changelog.
* Revert the -D html_last_updated_fmt approach to get sphinx to produce
reproducible docs, it supports SOURCE_DATE_EPOCH, these days.
.
[ Debian Janitor ]
* Bump debhelper from old 12 to 13.
* Update standards version to 4.5.1, no changes needed.
* Remove constraints unnecessary since buster:
+ Build-Depends: Drop versioned constraint on python3-all and
python3-setuptools.
Checksums-Sha1:
f4dc4b1a591b5462c9fe27f48eb8d03331ad6da3 1593 waitress_2.1.1-1.dsc
6ac43b7cc39eee899384c4d1e75a111e3ba28f1e 174414 waitress_2.1.1.orig.tar.gz
d23cdef8206df5ec62fb35b66b2e51af98bf585f 6320 waitress_2.1.1-1.debian.tar.xz
c1b50786663f1459d4172816bb1d033052b4d20d 7807 waitress_2.1.1-1_source.buildinfo
Checksums-Sha256:
83d59b976e4ab3bd07a27e935cb8a2a10216f7e1d630ed431fae3deb5eba89bb 1593
waitress_2.1.1-1.dsc
bc7cd755f719035721d0aba06821e855870017df64d7e479aa6ab55efa61de1d 174414
waitress_2.1.1.orig.tar.gz
ef70e2db1aade0f553131fd707bb832d2b3d241dc1a2548a1adfc92839e03e07 6320
waitress_2.1.1-1.debian.tar.xz
7fdc7727cb9183df4c76973d82d2c47f3a3e20ebd247c2570b54253bf46b28da 7807
waitress_2.1.1-1_source.buildinfo
Files:
017035eb95168fa9b30b905c997dd092 1593 python optional waitress_2.1.1-1.dsc
c1b1f9f9ba4c5e4f7466192acb8f9dfc 174414 python optional
waitress_2.1.1.orig.tar.gz
d69065ad3336a206bbd3be753e72c318 6320 python optional
waitress_2.1.1-1.debian.tar.xz
10e4b5f4f701e905450cec837bb5d244 7807 python optional
waitress_2.1.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYnm33xQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2L6bAQD2ReN0RyDnIB/A5uecLK1Thu+uTuqo
LfQyIMr4ksr9swEAt+BgbF+B+XrXetaTb7AqFTlMF2msWWFr8wIys6c5HAg=
=O85X
-----END PGP SIGNATURE-----
--- End Message ---