Bug 33819 - python-waitress new security issues CVE-2024-49768 and CVE-2024-49769
Summary: python-waitress new security issues CVE-2024-49768 and CVE-2024-49769
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-11-29 15:42 CET by Nicolas Salguero
Modified: 2025-02-12 07:38 CET (History)
2 users (show)

See Also:
Source RPM: python-waitress-2.1.2-1.mga9.src.rpm
CVE: CVE-2024-49768, CVE-2024-49769
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-11-29 15:42:53 CET 
SUSE has issued an advisory on November 1:
https://lists.suse.com/pipermail/sle-security-updates/2024-November/019754.html
Nicolas Salguero 2024-11-29 15:43:54 CET

Status comment: (none) => Fixed upstream in 3.0.1 and patch available from openSUSE
Source RPM: (none) => python-waitress-3.0.0-1.mga10.src.rpm, python-waitress-2.1.2-1.mga9.src.rpm
CVE: (none) => CVE-2024-49769
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-11-29 15:48:16 CET 
Patches in https://ftp.belnet.be//mirror/ftp.opensuse.org/opensuse/update/leap/15.5/sle/src/python-waitress-2.1.2-150400.12.7.1.src.rpm

CVE: CVE-2024-49769 => CVE-2024-49768, CVE-2024-49769
Summary: python-waitress new security issue CVE-2024-49769 => python-waitress new security issues CVE-2024-49768 and CVE-2024-49769
Status comment: Fixed upstream in 3.0.1 and patch available from openSUSE => Fixed upstream in 3.0.1 and patches available from openSUSE

Comment 2 Lewis Smith 2024-11-29 21:13:06 CET 
Thanks for the patch ref.
Assigning to Python group.

Assignee: bugsquad => python

Comment 3 Nicolas Salguero 2025-02-10 14:53:43 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Waitress has request processing race condition in HTTP pipelining with invalid first request. (CVE-2024-49768)

Waitress has a denial of service leading to high CPU usage/resource exhaustion. (CVE-2024-49769)

References:
https://lists.suse.com/pipermail/sle-security-updates/2024-November/019754.html
========================

Updated package in core/updates_testing:
========================
python3-waitress-2.1.2-1.1.mga9

from SRPM:
python-waitress-2.1.2-1.1.mga9.src.rpm

Assignee: python => qa-bugs
Source RPM: python-waitress-3.0.0-1.mga10.src.rpm, python-waitress-2.1.2-1.mga9.src.rpm => python-waitress-2.1.2-1.mga9.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 3.0.1 and patches available from openSUSE => (none)

katnatek 2025-02-10 20:07:34 CET

Keywords: (none) => advisory

Comment 4 katnatek 2025-02-10 21:14:43 CET 
RH x86_64

installing python3-waitress-2.1.2-1.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-waitress      ##################################################################################################
      1/1: removing python3-waitress-2.1.2-1.mga9.noarch
                                 ##################################################################################################

Reference
https://bugs.mageia.org/show_bug.cgi?id=30248#c3

OK on clean install

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2025-02-11 16:34:01 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2025-02-12 07:38:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0053.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.