30248 – python-waitress new security issue CVE-2022-24761

Bug 30248 - python-waitress new security issue CVE-2022-24761

Summary: python-waitress new security issue CVE-2022-24761

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-04-05 18:05 CEST by David Walser
Modified:	2022-05-15 12:08 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	python-waitress-2.0.0-3.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-04-05 18:05:06 CEST

Ubuntu has issued an advisory today (April 5):
https://ubuntu.com/security/notices/USN-5364-1

The issue is fixed upstream in 2.1.1.

Mageia 8 is also affected.

David Walser 2022-04-05 18:05:15 CEST

Status comment: (none) => Fixed upstream in 2.1.1
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-05-11 21:17:49 CEST

Updated package uploaded for Mageia 8 and Cauldron by papoteur.

Mageia 8 RPM:
python3-waitress-2.1.1-1.mga8

from python-waitress-2.1.1-1.mga8.src.rpm

Assignee: python => qa-bugs
Status comment: Fixed upstream in 2.1.1 => (none)
Version: Cauldron => 8
CC: (none) => yves.brungard_mageia
Whiteboard: MGA8TOO => (none)

Comment 2 papoteur 2022-05-11 21:22:46 CEST

This module is called by ceph-mgr.
I add Chris as he is the maintainer of ceph.

CC: (none) => eatdirt

Comment 3 Herman Viaene 2022-05-12 14:44:41 CEST

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Had a quick look at papoteur's suggestion on ceph-mgr, but this deeloper's territory.
As in previous update bug 26014, OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-05-13 14:37:23 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 papoteur 2022-05-13 15:01:05 CEST

Advisory
=========================
When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python’s `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1
https://ubuntu.com/security/CVE-2022-24761
==================

Dave Hodgins 2022-05-15 00:29:32 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-05-15 12:08:01 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0182.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.