-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 May 2022 22:42:07 -0400
Source: waitress
Binary: python-waitress python-waitress-doc python3-waitress
Architecture: all
Version: 1.2.0~b2-2+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Stefano Rivera <stefanor@debian.org>
Description:
 python-waitress - production-quality pure-Python WSGI server
 python-waitress-doc - production-quality pure-Python WSGI server (documentation)
 python3-waitress - production-quality pure-Python WSGI server (Python 3)
Closes: 1008013
Changes:
 waitress (1.2.0~b2-2+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Security updates to fix request smuggling bugs, when combined with another
     http proxy that interprets requests differently. This can lead to a
     potential for HTTP request smuggling/splitting whereby Waitress may see
     two requests while the front-end server only sees a single HTTP message.
     This can result in cache poisoning or unexpected information disclosure.
     The specific issues resolved are:
     - CVE-2019-16785: Only recognise CRLF as a line-terminator, not a plain
       LF. Before this change waitress could see two requests where the
       front-end proxy only saw one.
     - CVE-2019-16786: Waitress would parse the Transfer-Encoding header and
       only look for a single string value, if that value was not "chunked" it
       would fall through and use the Content-Length header instead.
       This could allow for Waitress to treat a single request as multiple
       requests in the case of HTTP pipelining.
     - CVE-2019-16789: Specially crafted requests containing special whitespace
       characters in the Transfer-Encoding header would get parsed by Waitress
       as being a chunked request, but a front-end server would use the
       Content-Length instead as the Transfer-Encoding header is considered
       invalid due to containing invalid characters.
       If a front-end server does HTTP pipelining to a backend Waitress server
       this could lead to HTTP request splitting which may lead to potential
       cache poisoning or unexpected information disclosure.
     - CVE-2019-16792: If two Content-Length headers are sent in a single
       request, Waitress would treat the request as having no body, thereby
       treating the body of the request as a new request in HTTP pipelining.
     - CVE-2022-24761: There are two classes of vulnerability that may lead to
       request smuggling that are addressed by this advisory:
       + The use of Python's int() to parse strings into integers, leading to
         +10 to be parsed as 10, or 0x01 to be parsed as 1, where as the
         standard specifies that the string should contain only digits or hex
         digits.
       + Waitress does not support chunk extensions, however it was discarding
         them without validating that they did not contain illegal characters.
       (Closes: #1008013)
Checksums-Sha1:
 de7d45829fe8cbe3869ab8d6083f09361d126b48 57400 python-waitress-doc_1.2.0~b2-2+deb10u1_all.deb
 348ae50bdfd4f6fdb68e9ba568d4accbc4f08699 80120 python-waitress_1.2.0~b2-2+deb10u1_all.deb
 441a331092097ca19a1304b9fc043f3ddbf0fbc3 80160 python3-waitress_1.2.0~b2-2+deb10u1_all.deb
 92632daa39d101c4c029442e636ffa1aaaa40961 8002 waitress_1.2.0~b2-2+deb10u1_all-buildd.buildinfo
Checksums-Sha256:
 fa8434f14c9715b23a3edf3591cc7d7056d80bef67b1cd7f8de9de72915b2293 57400 python-waitress-doc_1.2.0~b2-2+deb10u1_all.deb
 2ed46356873cb057341ff3a8aa47a8e612fbf3d2ddbdce181cbacdf029f6a557 80120 python-waitress_1.2.0~b2-2+deb10u1_all.deb
 9cb39aff1df02aadda46b49198b2466c6062031575b8d0732b785ed3c1515816 80160 python3-waitress_1.2.0~b2-2+deb10u1_all.deb
 442edffc46fc0fca9913bf4ea658140e6918fd562a9e6058485aa60a49a82ab7 8002 waitress_1.2.0~b2-2+deb10u1_all-buildd.buildinfo
Files:
 cb46fa9daf0a18995986cd385a346b73 57400 doc optional python-waitress-doc_1.2.0~b2-2+deb10u1_all.deb
 8991ea20df96d77814742f6190341ece 80120 python optional python-waitress_1.2.0~b2-2+deb10u1_all.deb
 76b3ef0d9ad4dd28b6ac0b19ceca343a 80160 python optional python3-waitress_1.2.0~b2-2+deb10u1_all.deb
 260f3912df06b8e64597ccb2a336273b 8002 python optional waitress_1.2.0~b2-2+deb10u1_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfA7dsu0ZDzzHaw+5NX/smi6DkKgFAmJ+zRAACgkQNX/smi6D
kKjlIRAAkZmlkRBnp0Nr3/F/vk2BppWRiBKlmtiFQjQGwbm9xX0ZIi81OjG7lc/+
2bsFbo7IZWNliI8Q24UVReCFV7IEVQj8RCRg9vKcR3RnscqQZ38FbS3xw/pDP4ki
wkZ/Sju2cu1vEXCpYJHdaCzoLQR+k/eWHs9btKgQwLnwv8wcec74ERSRYCVctkOs
Fku9sbhypMpZWMo+hneifGshPArAdPQDSF2kwO9tDwfNITt6Clt0EfuMclMYM4oa
UcT5EyItoVZisWtNy4mEBExyEjohMIWTcPgIw4qd8Mq3EfkO2ssFVi5KRV91gdtr
xg6jzen6nwrdnVmDSzRtF2iatzHQ1gj2uStrroCAdCwjVecfWLUcYf4jt/Sucdx8
tYkXpAl/C6iEcMVuYiWaI6FVrydJlsCGROpj31nxGPwzjN5d9XjPtYpqNppw/wdB
mhWfo2b5/GthOkbx+oX4GOfFCvY26FRrIwUy88d5Fyn1tFaipigvZqPUMt9WNW0w
ECXE9ejeTMdm/AF12zHeVVbyHiHQ4cR5WmRbGedk9CuG49+Rh887Yx0bLahjs2zi
KW4JVOGkGdcj8QR51AAYxI5L+guKB5sTUcgP509E9NkHlA45UpG6syXRIIblQ5al
dslwc0XCtY+6zAIWkG7y6QyJ966uVjXZsxlwq9/po67uSFo8M9A=
=u9up
-----END PGP SIGNATURE-----