Source: waitress Version: 1.3.1-4 Severity: grave Tags: security upstream Hi,
The following vulnerability was published for waitress, filling a distinct bug for that as the already filled #947306 for two other CVEs as this one is only fixed in 1.4.1 upstream. CVE-2019-16789[0]: | In Waitress through version 1.4.0, if a proxy server is used in front | of waitress, an invalid request may be sent by an attacker that | bypasses the front-end and is parsed differently by waitress leading | to a potential for HTTP request smuggling. Specially crafted requests | containing special whitespace characters in the Transfer-Encoding | header would get parsed by Waitress as being a chunked request, but a | front-end server would use the Content-Length instead as the Transfer- | Encoding header is considered invalid due to containing invalid | characters. If a front-end server does HTTP pipelining to a backend | Waitress server this could lead to HTTP request splitting which may | lead to potential cache poisoning or unexpected information | disclosure. This issue is fixed in Waitress 1.4.1 through more strict | HTTP field validation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16789 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789 [1] https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
