-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 28 Dec 2019 17:33:13 +0000 Source: waitress Binary: python-waitress python3-waitress python-waitress-doc Architecture: source all Version: 0.8.9-2+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Andrew Shadura <andrewsh@debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-waitress - production-quality pure-Python WSGI server python-waitress-doc - production-quality pure-Python WSGI server (documentation) python3-waitress - production-quality pure-Python WSGI server (Python 3) Closes: 947433 Changes: waitress (0.8.9-2+deb8u1) jessie-security; urgency=high . * CVE-2019-16789: Prevent a potential HTTP request smuggling vulnerability. If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or information disclosure. (Closes: #947433) Checksums-Sha1: f14bc1c2b0d9ec63f2881d8080b303e287663172 2045 waitress_0.8.9-2+deb8u1.dsc b5d27c096959ee39266a16bc5e2746f3358ad766 116869 waitress_0.8.9.orig.tar.gz b0060e1de85f97a3740321dbe379cf25d5998d8a 6336 waitress_0.8.9-2+deb8u1.debian.tar.xz 0ad992d4735f7cc5db5ce80435020070edacd534 59856 python-waitress_0.8.9-2+deb8u1_all.deb bcac15094e48ba663978f68e3070229232ed3686 59932 python3-waitress_0.8.9-2+deb8u1_all.deb 4fedb880e262f37913e570182402a1fb8854dce1 48144 python-waitress-doc_0.8.9-2+deb8u1_all.deb Checksums-Sha256: f913f47df64fb6a3dc4fc2c7be0b8b7fe82ecc0fccdffa8a65b9a17dfdd15f91 2045 waitress_0.8.9-2+deb8u1.dsc bde2628518aeadda91245b30d931af62b00ef52104e7b90c3537aad4b603f91f 116869 waitress_0.8.9.orig.tar.gz 2dae0cc86ee5f36e3738704f153ca54b83a834154cf142d88bb60eba4373022b 6336 waitress_0.8.9-2+deb8u1.debian.tar.xz e798147ee6808d3ac83316fec4f5843690b28679a4794c5c2678abe747bc25b1 59856 python-waitress_0.8.9-2+deb8u1_all.deb d6de2a563c43f417d049865b73f127e8526514c29c53d55d1c068a3d3e7b3acf 59932 python3-waitress_0.8.9-2+deb8u1_all.deb 433153b3d3eb4bd3f4275e2899dce317881d80ea5223aa3340a84be92725a1be 48144 python-waitress-doc_0.8.9-2+deb8u1_all.deb Files: a18f04c007d9ff490f7feef714be7485 2045 python optional waitress_0.8.9-2+deb8u1.dsc 08a4f464b4c1cab4d0abdf1b0aa0e7b8 116869 python optional waitress_0.8.9.orig.tar.gz 3086814051efd52249a43ee0d243188b 6336 python optional waitress_0.8.9-2+deb8u1.debian.tar.xz 01be00fafbc83b5e509bd644b92d3b42 59856 python optional python-waitress_0.8.9-2+deb8u1_all.deb 3514b07cc104f5d808a6770c73eb159b 59932 python optional python3-waitress_0.8.9-2+deb8u1_all.deb c3a105f5c7019188073a17cd9bbf1786 48144 doc optional python-waitress-doc_0.8.9-2+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4MpCIACgkQHpU+J9Qx HliLsA//aGNkqQ9zYLBn4d2a3r+xc6pjOY6p+tBHc13qtKopQl5zL228hYy0Unba q3gfX0Pif2OsacPz1gmZormWpYI5Sx/s+lVmC7oIA4/tNJIc5PD41uYRgYVUuJXe ApVhGr3ooUe5QaixeraiBH7xRGzq9gKKJ4BegEr3HhTUqRWSj0JUmsUowbVgs0iX /ON0mJRMFMn+Uny5s7kQi2RnH9dFVBLuTBUvuYPMBevlmhXUWU/66fQgk+4CJKn8 lpt2c+b9nFXjsd6UMKdAF5HFTyUCJ4NTfNOegQfRRTB9muMODxPPR08+GGMBEuqH MsCaH5Gb63/wdwliMKDCIq7ZnWoNNsElJQt2G71sTOLthYMu64lyLHNVlzITMhVl BFTXuet32uRQjHyBCqUJOM33f/kGwfmy06k3qO2/Q9vGpbqsMUE4FRlc1WBNI4Q1 WpxMTESCB6gir1IWr1DwqDTBul7jbv66ZMaapHMWDkCMONBSagIt3lfFnROc01mE OG0aH2e4//j3+3AhKKfdYCXUu/spwG045WSlmH0Er9JvSvHEitsXqcfZ6rXcCNim k3epgDjYwS59xnyWbjFhRaQpxPLayuk81P+NKHXXN3OGJFTm5egeDRSPykMgimOj ZAesO8vhveK3kzRycAZpyJaBeA3K9RIPTwQqvBicTaHCihxp/YI= =5sVw -----END PGP SIGNATURE-----
