Your message dated Thu, 26 May 2022 20:33:35 +0000
with message-id <[email protected]>
and subject line Bug#1008013: fixed in waitress 1.2.0~b2-2+deb10u1
has caused the Debian Bug report #1008013,
regarding waitress: CVE-2022-24761
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1008013: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008013
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: waitress
Version: 1.4.4-1.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for waitress.
CVE-2022-24761[0]:
| Waitress is a Web Server Gateway Interface server for Python 2 and 3.
| When using Waitress versions 2.1.0 and prior behind a proxy that does
| not properly validate the incoming HTTP request matches the RFC7230
| standard, Waitress and the frontend proxy may disagree on where one
| request starts and where it ends. This would allow requests to be
| smuggled via the front-end proxy to waitress and later behavior. There
| are two classes of vulnerability that may lead to request smuggling
| that are addressed by this advisory: The use of Python's `int()` to
| parse strings into integers, leading to `+10` to be parsed as `10`, or
| `0x01` to be parsed as `1`, where as the standard specifies that the
| string should contain only digits or hex digits; and Waitress does not
| support chunk extensions, however it was discarding them without
| validating that they did not contain illegal characters. This
| vulnerability has been patched in Waitress 2.1.1. A workaround is
| available. When deploying a proxy in front of waitress, turning on any
| and all functionality to make sure that the request matches the
| RFC7230 standard. Certain proxy servers may not have this
| functionality though and users are encouraged to upgrade to the latest
| version of waitress instead.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24761
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761
[1] https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
[2]
https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: waitress
Source-Version: 1.2.0~b2-2+deb10u1
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 May 2022 22:42:07 -0400
Source: waitress
Architecture: source
Version: 1.2.0~b2-2+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Andrej Shadura <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1008013
Changes:
waitress (1.2.0~b2-2+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Security updates to fix request smuggling bugs, when combined with another
http proxy that interprets requests differently. This can lead to a
potential for HTTP request smuggling/splitting whereby Waitress may see
two requests while the front-end server only sees a single HTTP message.
This can result in cache poisoning or unexpected information disclosure.
The specific issues resolved are:
- CVE-2019-16785: Only recognise CRLF as a line-terminator, not a plain
LF. Before this change waitress could see two requests where the
front-end proxy only saw one.
- CVE-2019-16786: Waitress would parse the Transfer-Encoding header and
only look for a single string value, if that value was not "chunked" it
would fall through and use the Content-Length header instead.
This could allow for Waitress to treat a single request as multiple
requests in the case of HTTP pipelining.
- CVE-2019-16789: Specially crafted requests containing special whitespace
characters in the Transfer-Encoding header would get parsed by Waitress
as being a chunked request, but a front-end server would use the
Content-Length instead as the Transfer-Encoding header is considered
invalid due to containing invalid characters.
If a front-end server does HTTP pipelining to a backend Waitress server
this could lead to HTTP request splitting which may lead to potential
cache poisoning or unexpected information disclosure.
- CVE-2019-16792: If two Content-Length headers are sent in a single
request, Waitress would treat the request as having no body, thereby
treating the body of the request as a new request in HTTP pipelining.
- CVE-2022-24761: There are two classes of vulnerability that may lead to
request smuggling that are addressed by this advisory:
+ The use of Python's int() to parse strings into integers, leading to
+10 to be parsed as 10, or 0x01 to be parsed as 1, where as the
standard specifies that the string should contain only digits or hex
digits.
+ Waitress does not support chunk extensions, however it was discarding
them without validating that they did not contain illegal characters.
(Closes: #1008013)
Checksums-Sha1:
8dd87511156296e7408da902d6b31085a929da34 1643 waitress_1.2.0~b2-2+deb10u1.dsc
100e289d1b0048cd91c9ac4cf31667d59d8bbbb4 156556 waitress_1.2.0~b2.orig.tar.gz
3fd4378c31c8ecc5b41f2e477f4502f311c9a72d 22276
waitress_1.2.0~b2-2+deb10u1.debian.tar.xz
11ebe5330963236a2bf45521d38e6e6f2cdd61b5 7400
waitress_1.2.0~b2-2+deb10u1_source.buildinfo
Checksums-Sha256:
539e80539e1cc4f6518edca82851e8e66a400a8513b24ef448a09f0cb064f7a3 1643
waitress_1.2.0~b2-2+deb10u1.dsc
cdd45fc341b4972ec9f51cf3477f41fc84832bcedc9467a4e6a35d35fdf3e245 156556
waitress_1.2.0~b2.orig.tar.gz
fd474f3d5bc77b1b882f3137a73a090d0f0894a1c8714101124303c0cb2ecf26 22276
waitress_1.2.0~b2-2+deb10u1.debian.tar.xz
eded290fa3dd43a83527c6b8cbd1738bca07e3dbf9476be42cc93c4824590dc7 7400
waitress_1.2.0~b2-2+deb10u1_source.buildinfo
Files:
c4f3813bb1b6215738b486a4080d4cda 1643 python optional
waitress_1.2.0~b2-2+deb10u1.dsc
db9f9a12cf177fd3a6419205a0202f4d 156556 python optional
waitress_1.2.0~b2.orig.tar.gz
f1441c82cfed78a2c3c4c1abde9951d7 22276 python optional
waitress_1.2.0~b2-2+deb10u1.debian.tar.xz
ad7de420a58af500a2f5edd563f46371 7400 python optional
waitress_1.2.0~b2-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYn7H+BQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2HDkAP9n2x4AaqJ6AzBai299e61Heg9H31nZ
+iyo3WeLVgLjOgD+JRKbybt+5dOj4tu7X42G6/tyYb5UfRErQln9qc7klws=
=s5dj
-----END PGP SIGNATURE-----
--- End Message ---
