- update to 2.1.1 (bsc#1197255, CVE-2022-24761):

* Waitress now validates that chunked encoding extensions are valid, and don’t contain invalid characters that are not allowed. They are still skipped/not processed, but if they contain invalid data we no longer continue in and return a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling. Thanks to Zhang Zeyu for reporting this issue. See https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 * Waitress now validates that the chunk length is only valid hex digits when parsing chunked encoding, and values such as 0x01 and +01 are no longer supported. This stops potential HTTP desync/HTTP request smuggling. Thanks to Zhang Zeyu for reporting this issue. See https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 * Waitress now validates that the Content-Length sent by a remote contains only digits in accordance with RFC7230 and will return a 400 Bad Request when the Content-Length header contains invalid data, such as +10 which would previously get parsed as 10 and accepted. This stops potential HTTP desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=50
2022-03-17 17:48:05 +00:00
parent 471114f33c
commit fb396095fb
4 changed files with 29 additions and 6 deletions
--- a/python-waitress.changes
+++ b/python-waitress.changes
@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Thu Mar 17 17:42:42 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.1.1 (bsc#1197255, CVE-2022-24761):
+  * Waitress now validates that chunked encoding extensions are valid, and don’t
+    contain invalid characters that are not allowed. They are still skipped/not
+    processed, but if they contain invalid data we no longer continue in and return
+    a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling.
+    Thanks to Zhang Zeyu for reporting this issue. See
+    https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+  * Waitress now validates that the chunk length is only valid hex digits when
+    parsing chunked encoding, and values such as 0x01 and +01 are no longer
+    supported. This stops potential HTTP desync/HTTP request smuggling. Thanks
+    to Zhang Zeyu for reporting this issue. See
+    https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+  * Waitress now validates that the Content-Length sent by a remote contains only
+    digits in accordance with RFC7230 and will return a 400 Bad Request when the
+    Content-Length header contains invalid data, such as +10 which would
+    previously get parsed as 10 and accepted. This stops potential HTTP
+    desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue.
+    See
+    https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 
+
 -------------------------------------------------------------------
 Fri Aug 27 12:27:31 UTC 2021 - Stefan Schubert <schubi@suse.de>