MGASA-2022-0182 - Updated python-waitress packages fix security vulnerability Publication date: 15 May 2022 URL: https://advisories.mageia.org/MGASA-2022-0182.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-24761 When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python’s `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1 References: - https://bugs.mageia.org/show_bug.cgi?id=30248 - https://ubuntu.com/security/notices/USN-5364-1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761 SRPMS: - 8/core/python-waitress-2.1.1-1.mga8
Mageia 2022-0182: python-waitress security update
When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy ...
Summary
When using Waitress versions 2.1.0 and prior behind a proxy that does not
properly validate the incoming HTTP request matches the RFC7230 standard,
Waitress and the frontend proxy may disagree on where one request starts
and where it ends. This would allow requests to be smuggled via the
front-end proxy to waitress and later behavior. There are two classes of
vulnerability that may lead to request smuggling that are addressed by
this advisory: The use of Python’s `int()` to parse strings into integers,
leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`,
where as the standard specifies that the string should contain only digits
or hex digits; and Waitress does not support chunk extensions, however it
was discarding them without validating that they did not contain illegal
characters. This vulnerability has been patched in Waitress 2.1.1
References
- https://bugs.mageia.org/show_bug.cgi?id=30248
- https://ubuntu.com/security/notices/USN-5364-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761
Resolution
MGASA-2022-0182 - Updated python-waitress packages fix security vulnerability
SRPMS
- 8/core/python-waitress-2.1.1-1.mga8
Severity
Publication date: 15 May 2022
URL: https://advisories.mageia.org/MGASA-2022-0182.html
Type: security
CVE: CVE-2022-24761
News
HOWTOs
Features
About Us
Powered By
