Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0017 waitress security update 2 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: waitress Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16789 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2056 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : waitress Version : 0.8.9-2+deb8u1 Debian Bug : #765126 It was discovered that there was a HTTP request smuggling vulnerability in waitress, pure-Python WSGI server. If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or information disclosure. For Debian 8 "Jessie", this issue has been fixed in waitress version 0.8.9-2+deb8u1. We recommend that you upgrade your waitress packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4MpCkACgkQHpU+J9Qx HlgiDBAAqTn8jF9NkZKCSMyMZsW+Wb4DazHGkEmzl1Uf/u9padPzIo5WKYkuFT3F AaLaGou8k9DdMZ3i7e9KSZw31vBcyj7oSVaFKBU/SUklC/V5BB8BMhecd+9fPZw8 sk+j7Nm+0iK+ah///RWpm4oG+CfXPXHqeit74pJt02a1mc0DU2cJcMerKkKmeQc7 aD8PlWeTLDO361sJLR9v/5djyEm9Eo6pP7fc7ueMAoPQjS3xxxwUzLBhOEZnWGek 1LS9cwRG4mzfNN8e8GW7cXKqD373iEKBr9o97M6sxwkC4YXrIAzPMcQHo4oJh+Yp x3rOyxibwJlRpp+gftIjKNGg7SZ3/MFrjtyikLkKz/Q9abLPBrRhLlYSthWVt26b nbd2s9XVMwqcnKBQj90LZGGB2oudKvL0xdkd8q24NLd/7iPSVVF7Oc4x3iHtjiYv udTrhcLg+PYpqYKVa0bxXcO65q0PFZkAR7yQHuwPATPSu9HdhRezDjip9GPBrcMr uOqKpVHGznTTpwDuRDgKd8QaTSnkf1Mn1b/qhOFRqfnnrsLXebZPgqLoMSNzbRRU aDQ+CW/mie1N9WF5389FfKRZh20UmltU1hS29gC2vaeJYzl9Fp5n8WEbFsUnUirY zD5KfhJEg/t9Yr7Mzd0jsrdgwBUDAzfEoc9n58gICPRyQDjhxjc= =a6SU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXg1ai2aOgq3Tt24GAQjDlw/9Gu8fkvwdTzjS56CDF0MjtRU8TbJZB7Xf Qdp08NRGYvc5IE4/uBVl/vTDgDGRCMyPKjcIttQ8Y80erdTmIqPhVGrMHZ1sYoWy /Ok3tarStade+L4D88svNPxlJj+ohh0KC4/XXWo5bOEfCSGm3zMz89swE8yAB/Nr Y9S8Dn0P3Vd1LkqqJWyucq6XrThjUdaZcBKojAeCH5x+VhF6PF1fUsNffmKuG2EC DXsBn9OPOW/cYAAw1ndfkJlz4ozPOYSWwNsjpo8QOugVN9cRPVdoG0tthvA5IR6A mYYOoWTXdWLu7wPk+WhmP5l2n/8BvdLHusE2i15umqA1JTb9OmaalEcZuFiKjSS1 BQIftf7IWbMkk5J12l3iYV+TibyS72tDi2eELXk8eSp1K/O+gnkOPmzMiab3T2y6 T9denmgsTGRflfGGvnQkkiw3yJ4312d6CKigUYJTX40gli/tHFqvcrrxxMbJj5y7 r+t2lv8KmDZWL1FzA2lf9cHQRbC4v69xJ+C36S6KjBCWLp1nrXGgZpeas5hUyJ3e JDulU2qElL1y86KIW7oeqQaekuP8GEq5Wa0/d0QAAeqyz8pykLi3tFLek2LhVMpF 5O3j9xr9fCAaCstnML8tGeAuiF/8plX+x3jVWLjX/JGINCC515DNhOs3YS9T8NVU 1twNM7iUhS8= =ojvY -----END PGP SIGNATURE-----