Zombie, what's with the nonsensical bug titles lately?
Anyway, there are two other CVEs fixed in 1.4.0, and the referenced one is fixed in 1.4.2.
Waitress did not properly validate that the HTTP headers it received were properly formed =>
python-waitress new security issues CVE-2019-1678Version:
Done for both Cauldron and mga7!
Updated python-waitress packages fix security vulnerabilities:
If a front-end server does not parse header fields with an LF the same way as
it does those with a CRLF it can lead to the front-end and the back-end server
parsing the same HTTP message in two different ways. This can lead to a
potential for HTTP request smuggling/splitting whereby Waitress may see two
requests while the front-end server only sees a single HTTP message
Waitress through version 1.3.1 would parse the Transfer-Encoding header and
only look for a single string value, if that value was not chunked it would
fall through and use the Content-Length header instead. This could allow for
Waitress to treat a single request as multiple requests in the case of HTTP
In Waitress through version 1.4.0, if a proxy server is used in front of
waitress, an invalid request may be sent by an attacker that bypasses the
front-end and is parsed differently by waitress leading to a potential for HTTP
request smuggling. If a front-end server does HTTP pipelining to a backend
Waitress server this could lead to HTTP request splitting which may lead to
potential cache poisoning or unexpected information disclosure
Updated packages in core/updates_testing:
Corrected Debian link: