Overview
Request 962909 accepted
- update to 2.1.1 (bsc#1197255, CVE-2022-24761):
* Waitress now validates that chunked encoding extensions are valid, and don’t
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and return
a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as 0x01 and +01 are no longer
supported. This stops potential HTTP desync/HTTP request smuggling. Thanks
to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as +10 which would
previously get parsed as 10 and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue.
See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
- Created by dirkmueller
- In state accepted
Request History
dirkmueller created request
- update to 2.1.1 (bsc#1197255, CVE-2022-24761):
* Waitress now validates that chunked encoding extensions are valid, and don’t
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and return
a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as 0x01 and +01 are no longer
supported. This stops potential HTTP desync/HTTP request smuggling. Thanks
to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as +10 which would
previously get parsed as 10 and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue.
See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
dimstar_suse set openSUSE:Factory:Staging:F as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:F"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:F"
dimstar accepted review
dimstar_suse accepted review
Staging Project openSUSE:Factory:Staging:F got accepted.
dimstar_suse approved review
Staging Project openSUSE:Factory:Staging:F got accepted.
dimstar_suse accepted request
Staging Project openSUSE:Factory:Staging:F got accepted.
