Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0017
waitress security update
2 January 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: waitress
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-16789
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2056
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : waitress
Version : 0.8.9-2+deb8u1
Debian Bug : #765126
It was discovered that there was a HTTP request smuggling
vulnerability in waitress, pure-Python WSGI server.
If a proxy server is used in front of waitress, an invalid request
may be sent by an attacker that bypasses the front-end and is parsed
differently by waitress leading to a potential for request smuggling.
Specially crafted requests containing special whitespace characters
in the Transfer-Encoding header would get parsed by Waitress as being
a chunked request, but a front-end server would use the
Content-Length instead as the Transfer-Encoding header is considered
invalid due to containing invalid characters. If a front-end server
does HTTP pipelining to a backend Waitress server this could lead to
HTTP request splitting which may lead to potential cache poisoning or
information disclosure.
For Debian 8 "Jessie", this issue has been fixed in waitress version
0.8.9-2+deb8u1.
We recommend that you upgrade your waitress packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Regards,
- - --
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4MpCkACgkQHpU+J9Qx
HlgiDBAAqTn8jF9NkZKCSMyMZsW+Wb4DazHGkEmzl1Uf/u9padPzIo5WKYkuFT3F
AaLaGou8k9DdMZ3i7e9KSZw31vBcyj7oSVaFKBU/SUklC/V5BB8BMhecd+9fPZw8
sk+j7Nm+0iK+ah///RWpm4oG+CfXPXHqeit74pJt02a1mc0DU2cJcMerKkKmeQc7
aD8PlWeTLDO361sJLR9v/5djyEm9Eo6pP7fc7ueMAoPQjS3xxxwUzLBhOEZnWGek
1LS9cwRG4mzfNN8e8GW7cXKqD373iEKBr9o97M6sxwkC4YXrIAzPMcQHo4oJh+Yp
x3rOyxibwJlRpp+gftIjKNGg7SZ3/MFrjtyikLkKz/Q9abLPBrRhLlYSthWVt26b
nbd2s9XVMwqcnKBQj90LZGGB2oudKvL0xdkd8q24NLd/7iPSVVF7Oc4x3iHtjiYv
udTrhcLg+PYpqYKVa0bxXcO65q0PFZkAR7yQHuwPATPSu9HdhRezDjip9GPBrcMr
uOqKpVHGznTTpwDuRDgKd8QaTSnkf1Mn1b/qhOFRqfnnrsLXebZPgqLoMSNzbRRU
aDQ+CW/mie1N9WF5389FfKRZh20UmltU1hS29gC2vaeJYzl9Fp5n8WEbFsUnUirY
zD5KfhJEg/t9Yr7Mzd0jsrdgwBUDAzfEoc9n58gICPRyQDjhxjc=
=a6SU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXg1ai2aOgq3Tt24GAQjDlw/9Gu8fkvwdTzjS56CDF0MjtRU8TbJZB7Xf
Qdp08NRGYvc5IE4/uBVl/vTDgDGRCMyPKjcIttQ8Y80erdTmIqPhVGrMHZ1sYoWy
/Ok3tarStade+L4D88svNPxlJj+ohh0KC4/XXWo5bOEfCSGm3zMz89swE8yAB/Nr
Y9S8Dn0P3Vd1LkqqJWyucq6XrThjUdaZcBKojAeCH5x+VhF6PF1fUsNffmKuG2EC
DXsBn9OPOW/cYAAw1ndfkJlz4ozPOYSWwNsjpo8QOugVN9cRPVdoG0tthvA5IR6A
mYYOoWTXdWLu7wPk+WhmP5l2n/8BvdLHusE2i15umqA1JTb9OmaalEcZuFiKjSS1
BQIftf7IWbMkk5J12l3iYV+TibyS72tDi2eELXk8eSp1K/O+gnkOPmzMiab3T2y6
T9denmgsTGRflfGGvnQkkiw3yJ4312d6CKigUYJTX40gli/tHFqvcrrxxMbJj5y7
r+t2lv8KmDZWL1FzA2lf9cHQRbC4v69xJ+C36S6KjBCWLp1nrXGgZpeas5hUyJ3e
JDulU2qElL1y86KIW7oeqQaekuP8GEq5Wa0/d0QAAeqyz8pykLi3tFLek2LhVMpF
5O3j9xr9fCAaCstnML8tGeAuiF/8plX+x3jVWLjX/JGINCC515DNhOs3YS9T8NVU
1twNM7iUhS8=
=ojvY
-----END PGP SIGNATURE-----