From 21eaa3dbfbea3fc8401628a87fe9e1219005d4ea03386ec949a9de2178113ad1 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Wed, 30 Oct 2024 06:51:09 +0000 Subject: [PATCH 1/2] - Update to 3.0.1 (bsc#1232554, CVE-2024-49769): * Fix a bug that would lead to Waitress busy looping on select() on a half-open socket due to a race condition that existed when creating a new HTTPChannel. See https://github.com/Pylons/waitress/pull/435, https://github.com/Pylons/waitress/issues/418 and https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6 * No longer strip the header values before passing them to the WSGI environ. See https://github.com/Pylons/waitress/pull/434 and https://github.com/Pylons/waitress/issues/432 * Fix a race condition in Waitress when `channel_request_lookahead` is enabled that could lead to HTTP request smuggling. * See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=69 --- python-waitress.changes | 18 ++++++++++++++++++ python-waitress.spec | 2 +- waitress-3.0.0.tar.gz | 3 --- waitress-3.0.1.tar.gz | 3 +++ 4 files changed, 22 insertions(+), 4 deletions(-) delete mode 100644 waitress-3.0.0.tar.gz create mode 100644 waitress-3.0.1.tar.gz diff --git a/python-waitress.changes b/python-waitress.changes index 18fbc0c..1966b7a 100644 --- a/python-waitress.changes +++ b/python-waitress.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Wed Oct 30 06:49:46 UTC 2024 - Daniel Garcia + +- Update to 3.0.1 (bsc#1232554, CVE-2024-49769): + * Fix a bug that would lead to Waitress busy looping on select() + on a half-open socket due to a race condition that existed when + creating a new HTTPChannel. See + https://github.com/Pylons/waitress/pull/435, + https://github.com/Pylons/waitress/issues/418 and + https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6 + * No longer strip the header values before passing them to the + WSGI environ. See https://github.com/Pylons/waitress/pull/434 + and https://github.com/Pylons/waitress/issues/432 + * Fix a race condition in Waitress when + `channel_request_lookahead` is enabled that could lead to HTTP + request smuggling. + * See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj + ------------------------------------------------------------------- Sun Jun 30 07:59:06 UTC 2024 - Dirk Müller diff --git a/python-waitress.spec b/python-waitress.spec index b3cc6f0..9a0433c 100644 --- a/python-waitress.spec +++ b/python-waitress.spec @@ -31,7 +31,7 @@ %endif %{?sle15_python_module_pythons} Name: python-waitress%{psuffix} -Version: 3.0.0 +Version: 3.0.1 Release: 0 Summary: Waitress WSGI server License: ZPL-2.1 diff --git a/waitress-3.0.0.tar.gz b/waitress-3.0.0.tar.gz deleted file mode 100644 index 34c7267..0000000 --- a/waitress-3.0.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:005da479b04134cdd9dd602d1ee7c49d79de0537610d653674cc6cbde222b8a1 -size 179393 diff --git a/waitress-3.0.1.tar.gz b/waitress-3.0.1.tar.gz new file mode 100644 index 0000000..503194e --- /dev/null +++ b/waitress-3.0.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ef0c1f020d9f12a515c4ec65c07920a702613afcad1dbfdc3bcec256b6c072b3 +size 180560 From 640180ab345607b04b0e58b1ec923439fdeebbee13d08a701babcdb8d7a08b74 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Wed, 30 Oct 2024 07:33:06 +0000 Subject: [PATCH 2/2] - Update to 3.0.1 (bsc#1232554, bsc#1232556, CVE-2024-49769, CVE-2024-49768): OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=70 --- python-waitress.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-waitress.changes b/python-waitress.changes index 1966b7a..3edcbfc 100644 --- a/python-waitress.changes +++ b/python-waitress.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- Wed Oct 30 06:49:46 UTC 2024 - Daniel Garcia -- Update to 3.0.1 (bsc#1232554, CVE-2024-49769): +- Update to 3.0.1 (bsc#1232554, bsc#1232556, CVE-2024-49769, CVE-2024-49768): * Fix a bug that would lead to Waitress busy looping on select() on a half-open socket due to a race condition that existed when creating a new HTTPChannel. See