Bug 26014 - python-waitress new security issues CVE-2019-1678[569]
Summary: python-waitress new security issues CVE-2019-1678[569]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://linuxsecurity.com/advisories/...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-01-04 21:04 CET by Zombie Ryushu
Modified: 2020-07-14 22:48 CEST (History)
7 users (show)

See Also:
Source RPM: python-waitress-1.2.1-1.mga7.src.rpm
CVE: CVE-2019-1678[569]
Status comment:


Attachments

Zombie Ryushu 2020-01-04 21:05:46 CET

CVE: (none) => CVE-2019-16789

Comment 1 David Walser 2020-01-05 04:41:58 CET
Zombie, what's with the nonsensical bug titles lately?

Anyway, there are two other CVEs fixed in 1.4.0, and the referenced one is fixed in 1.4.2.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947433
https://lists.debian.org/debian-lts-announce/2020/01/msg00002.html
https://www.debian.org/lts/security/2019/dla-2056

CC: (none) => geiger.david68210, jani.valimaa
Whiteboard: (none) => MGA7TOO
Assignee: bugsquad => mageia
Version: 7 => Cauldron
Summary: Waitress did not properly validate that the HTTP headers it received were properly formed => python-waitress new security issues CVE-2019-1678[569]

Comment 2 David GEIGER 2020-01-06 08:15:36 CET
Done for both Cauldron and mga7!
Comment 3 David Walser 2020-01-06 11:58:05 CET
Advisory:
========================

Updated python-waitress packages fix security vulnerabilities:

If a front-end server does not parse header fields with an LF the same way as
it does those with a CRLF it can lead to the front-end and the back-end server
parsing the same HTTP message in two different ways. This can lead to a
potential for HTTP request smuggling/splitting whereby Waitress may see two
requests while the front-end server only sees a single HTTP message
(CVE-2019-16785).

Waitress through version 1.3.1 would parse the Transfer-Encoding header and
only look for a single string value, if that value was not chunked it would
fall through and use the Content-Length header instead. This could allow for
Waitress to treat a single request as multiple requests in the case of HTTP
pipelining (CVE-2019-16786).

In Waitress through version 1.4.0, if a proxy server is used in front of
waitress, an invalid request may be sent by an attacker that bypasses the
front-end and is parsed differently by waitress leading to a potential for HTTP
request smuggling. If a front-end server does HTTP pipelining to a backend
Waitress server this could lead to HTTP request splitting which may lead to
potential cache poisoning or unexpected information disclosure
(CVE-2019-16789).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
========================

Updated packages in core/updates_testing:
========================
python-waitress-1.4.2-1.mga7
python3-waitress-1.4.2-1.mga7

from python-waitress-1.4.2-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Source RPM: python-waitress => python-waitress-1.2.1-1.mga7.src.rpm
Version: Cauldron => 7
Assignee: mageia => qa-bugs
CVE: CVE-2019-16789 => CVE-2019-1678[569]

Comment 4 David Walser 2020-01-15 22:54:27 CET
Corrected Debian link:
https://www.debian.org/lts/security/2020/dla-2056
Comment 5 Herman Viaene 2020-01-28 14:41:24 CET
MGA7-64 Plasma on Lenovo B50
No installation issues
No previous updates on this, so tried to get some info from https://docs.pylonsproject.org/projects/waitress/en/stable/
but this is developer's stuff over my top.
$ waitress-serve --help
Usage:

    waitress-serve [OPTS] MODULE:OBJECT

Standard options:

    --help
        Show this information.

    --call
        Call the given object to get the WSGI application.

    --host=ADDR
        Hostname or IP address on which to listen, default is '0.0.0.0',
        which means "all IP addresses on this host".

        Note: May not be used together with --listen

    --port=PORT
        TCP port on which to listen, default is '8080'

        Note: May not be used together with --listen

    --listen=ip:port
        Tell waitress to listen on an ip port combination.

        Example:

            --listen=127.0.0.1:8080
            --listen=[::1]:8080
            --listen=*:8080
etc.....
$ waitress-serve --listen=127.0.0.1:8080
Error: Specify one application only
I have no clue as to "MODULE:OBJECT" (well, I understand the general terms, but what these would hve to be in this case.......)
Waiting for other info, before deciding on OK on clean install.

CC: (none) => herman.viaene

Comment 6 Len Lawrence 2020-02-11 19:22:24 CET
Trying to help here Herman but got into a "chicken and egg" situation because of lack of familiarity with python and WSGI.

Tried to find out what WSGI means:
Web Server Gateway Interface. ... It is used to forward requests from a web server (such as Apache or NGINX) to a backend Python web application or framework.  Which does not help much.

Found a reference to wsgiapp.py on GitHub - gunicorn.
Used pip to install gunicorn then
$ waitress-serve --listen=localhost:8080 gunicorn:wsgiapp
Error: Bad module 'gunicorn'

and then a Usage listing
finishing off with:
There was an exception (ImportError) importing your module.
It had these arguments: 
1. No module named gunicorn

$ locate gunicorn
/usr/lib/python3.7/site-packages/ansible/modules/web_infrastructure/gunicorn.py
/usr/lib/python3.7/site-packages/ansible/modules/web_infrastructure/__pycache__/gunicorn.cpython-37.opt-1.pyc
/usr/lib/python3.7/site-packages/ansible/modules/web_infrastructure/__pycache__/gunicorn.cpython-37.pyc

Had a look at the wsgiapp.py code and saw this in the run() function:
    The ``gunicorn`` command line runner for launching Gunicorn with
    generic WSGI applications.

Don't have a clue what all this is about.
Not our territory Herman.  Send it on.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2020-02-11 19:42:02 CET
Installed python{,3}-gunicorn and ran that last command again and this time succeeded in finding gunicorn but failed on the attribute 'wsgiapp'.
So, still clueless.
Comment 8 Thomas Andrews 2020-02-11 21:47:36 CET
Thanks for giving it a good shot, guys.

I'm sending this on on the basis of a clean install.

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2020-02-13 11:13:41 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-02-13 11:50:19 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0083.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.