-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2351
                         waitress security update
                                13 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           waitress
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-24761 CVE-2019-16792 CVE-2019-16789
                   CVE-2019-16786 CVE-2019-16785 

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html

Comment: CVSS (Max):  8.2 CVE-2019-16789 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3000-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Stefano Rivera
May 12, 2022                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : waitress
Version        : 1.0.1-1+deb9u1
CVE ID         : CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792
                 CVE-2022-24761
Debian Bug     : 1008013

Waitress is a Python WSGI server, an application server for Python web apps.

Security updates to fix request smuggling bugs, when combined with another http
proxy that interprets requests differently. This can lead to a potential for
HTTP request smuggling/splitting whereby Waitress may see two requests while
the front-end server only sees a single HTTP message.  This can result in cache
poisoning or unexpected information disclosure.

CVE-2019-16785

    Only recognise CRLF as a line-terminator, not a plain LF. Before this
    change waitress could see two requests where the front-end proxy only saw
    one.

CVE-2019-16786

    Waitress would parse the Transfer-Encoding header and only look for a
    single string value, if that value was not "chunked" it would fall through
    and use the Content-Length header instead.  This could allow for Waitress
    to treat a single request as multiple requests in the case of HTTP
    pipelining.

CVE-2019-16789

    Specially crafted requests containing special whitespace characters in the
    Transfer-Encoding header would get parsed by Waitress as being a chunked
    request, but a front-end server would use the Content-Length instead as the
    Transfer-Encoding header is considered invalid due to containing invalid
    characters.  If a front-end server does HTTP pipelining to a backend
    Waitress server this could lead to HTTP request splitting which may lead to
    potential cache poisoning or unexpected information disclosure.

CVE-2019-16792

    If two Content-Length headers are sent in a single request, Waitress would
    treat the request as having no body, thereby treating the body of the
    request as a new request in HTTP pipelining.

CVE-2022-24761

    There are two classes of vulnerability that may lead to request smuggling
    that are addressed by this advisory:
    1. The use of Python's int() to parse strings into integers, leading to +10
       to be parsed as 10, or 0x01 to be parsed as 1, where as the standard
       specifies that the string should contain only digits or hex digits.
    2. Waitress does not support chunk extensions, however it was discarding
       them without validating that they did not contain illegal characters.

For Debian 9 stretch, these problems have been fixed in version
1.0.1-1+deb9u1.

We recommend that you upgrade your waitress packages.

For the detailed security status of waitress please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/waitress

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYn1/tgAKCRBHew2wJjpU
2IFwAQDVDLPcMmO8nVczyfRKS9vc6Y7LpwU6Nv8LDRlqt9R5OgD7BEBxhqKTjwe1
GTBoU3rtNF/LQ/FVp++PSk08twlx5gY=
=07f2
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYn2L2skNZI30y1K9AQhHaxAAu0RiDwuvl7gYWNxqG5MBd5SmzEbl20en
XwF7ibWainN0Gg0y6uooBNHJwwH03vaPFQu2y92ZWaXlNlGxb0YKFgFCoqxF7OPO
IZiktp5FBxk1Kg+6nbQ7Vu1j8SWfMF5aM2grLf/JanIBetjN232WOytAXQKmhdFn
Bvl/UdUWPoLPm+zZAWl/N6GLOOINBwGh4vxVFbeLQxKT92GBrP/gJSKHdwVRC+a6
xWDfZ7PsoU/Z2PaJzchlVO6RFdM3yKTJC63aUX+tUN0CFqWAtBRMTHYf+o98o6b5
IzwxbaYRTLatGq7nX0Y6TTV/7yCCELLAJwKTgZfZjwlzNrjVGc5/l6RJt1NqNvQ3
vObvdAnVpIddWZk+NewYVuRtGoQI1Z9nqvXLnjcpdtHdRnyERPXD7q9iD0G3sLfh
ccPlVj99ykNBhIEowDC6IbnIZV/gWzgDmaeM74XhWepLahhePtxYPYM/1Flo5Fjb
rwDCXG/fWw6WBOh/aC+W/C/XU1LigWHj58WvCssAd0WLIGjo4uGUgAJRKWkFlx97
BtVy8MKyjHXy0UyZzBv/YxQshuXn3vRfk71GRo+3++F/56mgGPwSaG9omKkkNEYd
p0wBvnscbdKvy3v0pKxfWsKFyhye8UNq7/DSAPF8+92PK6r58Bi64tuBoqObMLEF
wciKezx3wjo=
=XFQo
-----END PGP SIGNATURE-----