Bug 26014 - python-waitress new security issues CVE-2019-1678[569]
Summary: python-waitress new security issues CVE-2019-1678[569]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://linuxsecurity.com/advisories/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-04 21:04 CET by Zombie Ryushu
Modified: 2020-01-15 22:54 CET (History)
2 users (show)

See Also:
Source RPM: python-waitress-1.2.1-1.mga7.src.rpm
CVE: CVE-2019-1678[569]
Status comment:


Attachments

Zombie Ryushu 2020-01-04 21:05:46 CET

CVE: (none) => CVE-2019-16789

Comment 1 David Walser 2020-01-05 04:41:58 CET
Zombie, what's with the nonsensical bug titles lately?

Anyway, there are two other CVEs fixed in 1.4.0, and the referenced one is fixed in 1.4.2.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947433
https://lists.debian.org/debian-lts-announce/2020/01/msg00002.html
https://www.debian.org/lts/security/2019/dla-2056

CC: (none) => geiger.david68210, jani.valimaa
Summary: Waitress did not properly validate that the HTTP headers it received were properly formed => python-waitress new security issues CVE-2019-1678[569]
Version: 7 => Cauldron
Assignee: bugsquad => mageia
Whiteboard: (none) => MGA7TOO

Comment 2 David GEIGER 2020-01-06 08:15:36 CET
Done for both Cauldron and mga7!
Comment 3 David Walser 2020-01-06 11:58:05 CET
Advisory:
========================

Updated python-waitress packages fix security vulnerabilities:

If a front-end server does not parse header fields with an LF the same way as
it does those with a CRLF it can lead to the front-end and the back-end server
parsing the same HTTP message in two different ways. This can lead to a
potential for HTTP request smuggling/splitting whereby Waitress may see two
requests while the front-end server only sees a single HTTP message
(CVE-2019-16785).

Waitress through version 1.3.1 would parse the Transfer-Encoding header and
only look for a single string value, if that value was not chunked it would
fall through and use the Content-Length header instead. This could allow for
Waitress to treat a single request as multiple requests in the case of HTTP
pipelining (CVE-2019-16786).

In Waitress through version 1.4.0, if a proxy server is used in front of
waitress, an invalid request may be sent by an attacker that bypasses the
front-end and is parsed differently by waitress leading to a potential for HTTP
request smuggling. If a front-end server does HTTP pipelining to a backend
Waitress server this could lead to HTTP request splitting which may lead to
potential cache poisoning or unexpected information disclosure
(CVE-2019-16789).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
========================

Updated packages in core/updates_testing:
========================
python-waitress-1.4.2-1.mga7
python3-waitress-1.4.2-1.mga7

from python-waitress-1.4.2-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: mageia => qa-bugs
CVE: CVE-2019-16789 => CVE-2019-1678[569]
Source RPM: python-waitress => python-waitress-1.2.1-1.mga7.src.rpm

Comment 4 David Walser 2020-01-15 22:54:27 CET
Corrected Debian link:
https://www.debian.org/lts/security/2020/dla-2056

Note You need to log in before you can comment on or make changes to this bug.