Source: waitress Version: 3.0.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for waitress. CVE-2024-49769[0]: | Waitress is a Web Server Gateway Interface server for Python 2 and | 3. When a remote client closes the connection before waitress has | had the opportunity to call getpeername() waitress won't correctly | clean up the connection leading to the main thread attempting to | write to a socket that no longer exists, but not removing it from | the list of sockets to attempt to process. This leads to a busy-loop | calling the write function. A remote attacker could run waitress out | of available sockets with very little resources required. Waitress | 3.0.1 contains fixes that remove the race condition. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-49769 https://www.cve.org/CVERecord?id=CVE-2024-49769 [1] https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
