Waitress 2.1.1 has been released. This is a security bug fix release. This release fixes three issues that may lead to HTTP desync/HTTP request smuggling when fronted by a load balancer or proxy that did not parse the HTTP requests the same way as Waitress.
We want to thank Jamie Slome (https://github.com/JamieSlome) of 418sec (https://github.com/418sec) for bringing this issue to our attention, and Zhang Zeyu (https://www.huntr.dev/users/zeyu2001/) for discovering and reporting the bug through huntr (https://www.huntr.dev/). See the advisory: https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 The full change log is here: https://docs.pylonsproject.org/projects/waitress/en/latest/#id1 Documentation: https://docs.pylonsproject.org/projects/waitress/en/latest/ You can install it via PyPI: pip install waitress==2.1.1 Enjoy, and please report any issues you find to the issue tracker at https://github.com/Pylons/waitress/issues Thanks! - Waitress core developers -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/6f650a18-317c-e1e8-769d-30ca105e4d74%40gmail.com.
