From fb396095fb2e36b687ef375da1ab9109e611a630bfc022e5003940aa9e5f1ae8 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Thu, 17 Mar 2022 17:48:05 +0000 Subject: [PATCH] =?UTF-8?q?-=20update=20to=202.1.1=20(bsc#1197255,=20CVE-2?= =?UTF-8?q?022-24761):=20=20=20*=20Waitress=20now=20validates=20that=20chu?= =?UTF-8?q?nked=20encoding=20extensions=20are=20valid,=20and=20don?= =?UTF-8?q?=E2=80=99t=20=20=20=20=20contain=20invalid=20characters=20that?= =?UTF-8?q?=20are=20not=20allowed.=20They=20are=20still=20skipped/not=20?= =?UTF-8?q?=20=20=20=20processed,=20but=20if=20they=20contain=20invalid=20?= =?UTF-8?q?data=20we=20no=20longer=20continue=20in=20and=20return=20=20=20?= =?UTF-8?q?=20=20a=20400=20Bad=20Request.=20This=20stops=20potential=20HTT?= =?UTF-8?q?P=20desync/HTTP=20request=20smuggling.=20=20=20=20=20Thanks=20t?= =?UTF-8?q?o=20Zhang=20Zeyu=20for=20reporting=20this=20issue.=20See=20=20?= =?UTF-8?q?=20=20=20https://github.com/Pylons/waitress/security/advisories?= =?UTF-8?q?/GHSA-4f7p-27jc-3c36=20=20=20*=20Waitress=20now=20validates=20t?= =?UTF-8?q?hat=20the=20chunk=20length=20is=20only=20valid=20hex=20digits?= =?UTF-8?q?=20when=20=20=20=20=20parsing=20chunked=20encoding,=20and=20val?= =?UTF-8?q?ues=20such=20as=200x01=20and=20+01=20are=20no=20longer=20=20=20?= =?UTF-8?q?=20=20supported.=20This=20stops=20potential=20HTTP=20desync/HTT?= =?UTF-8?q?P=20request=20smuggling.=20Thanks=20=20=20=20=20to=20Zhang=20Ze?= =?UTF-8?q?yu=20for=20reporting=20this=20issue.=20See=20=20=20=20=20https:?= =?UTF-8?q?//github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc?= =?UTF-8?q?-3c36=20=20=20*=20Waitress=20now=20validates=20that=20the=20Con?= =?UTF-8?q?tent-Length=20sent=20by=20a=20remote=20contains=20only=20=20=20?= =?UTF-8?q?=20=20digits=20in=20accordance=20with=20RFC7230=20and=20will=20?= =?UTF-8?q?return=20a=20400=20Bad=20Request=20when=20the=20=20=20=20=20Con?= =?UTF-8?q?tent-Length=20header=20contains=20invalid=20data,=20such=20as?= =?UTF-8?q?=20+10=20which=20would=20=20=20=20=20previously=20get=20parsed?= =?UTF-8?q?=20as=2010=20and=20accepted.=20This=20stops=20potential=20HTTP?= =?UTF-8?q?=20=20=20=20=20desync/HTTP=20request=20smuggling=20Thanks=20to?= =?UTF-8?q?=20Zhang=20Zeyu=20for=20reporting=20this=20issue.=20=20=20=20?= =?UTF-8?q?=20See=20=20=20=20=20https://github.com/Pylons/waitress/securit?= =?UTF-8?q?y/advisories/GHSA-4f7p-27jc-3c36?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=50 --- python-waitress.changes | 23 +++++++++++++++++++++++ python-waitress.spec | 6 +++--- waitress-2.0.0.tar.gz | 3 --- waitress-2.1.1.tar.gz | 3 +++ 4 files changed, 29 insertions(+), 6 deletions(-) delete mode 100644 waitress-2.0.0.tar.gz create mode 100644 waitress-2.1.1.tar.gz diff --git a/python-waitress.changes b/python-waitress.changes index 69d33c9..3c09994 100644 --- a/python-waitress.changes +++ b/python-waitress.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Thu Mar 17 17:42:42 UTC 2022 - Dirk Müller + +- update to 2.1.1 (bsc#1197255, CVE-2022-24761): + * Waitress now validates that chunked encoding extensions are valid, and don’t + contain invalid characters that are not allowed. They are still skipped/not + processed, but if they contain invalid data we no longer continue in and return + a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling. + Thanks to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + * Waitress now validates that the chunk length is only valid hex digits when + parsing chunked encoding, and values such as 0x01 and +01 are no longer + supported. This stops potential HTTP desync/HTTP request smuggling. Thanks + to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + * Waitress now validates that the Content-Length sent by a remote contains only + digits in accordance with RFC7230 and will return a 400 Bad Request when the + Content-Length header contains invalid data, such as +10 which would + previously get parsed as 10 and accepted. This stops potential HTTP + desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. + See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + ------------------------------------------------------------------- Fri Aug 27 12:27:31 UTC 2021 - Stefan Schubert diff --git a/python-waitress.spec b/python-waitress.spec index bb6e0ca..c6a64a8 100644 --- a/python-waitress.spec +++ b/python-waitress.spec @@ -1,7 +1,7 @@ # -# spec file for package python-waitress +# spec file # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,7 +33,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-waitress%{psuffix} -Version: 2.0.0 +Version: 2.1.1 Release: 0 Summary: Waitress WSGI server License: ZPL-2.1 diff --git a/waitress-2.0.0.tar.gz b/waitress-2.0.0.tar.gz deleted file mode 100644 index 9f3f7ff..0000000 --- a/waitress-2.0.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:69e1f242c7f80273490d3403c3976f3ac3b26e289856936d1f620ed48f321897 -size 175641 diff --git a/waitress-2.1.1.tar.gz b/waitress-2.1.1.tar.gz new file mode 100644 index 0000000..856e7e1 --- /dev/null +++ b/waitress-2.1.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2e60576cf14a1539da79f7b7ee1e79a71e64f366a0b47db54a15e971f57bb16 +size 178336