Waitress version 1.4.0 has been released
2 views
Skip to first unread message
Bert JW Regeer
Dec 20, 2019, 5:53:25 AM12/20/19
to Pylons Project, Pylons Project
Hey all,
Waitress version 1.4.0 has been released, it includes several critical fixes for security issues when using Waitress behind a reverse proxy, all of them related to HTTP request smuggling/splitting which can lead to information disclosure, potential cache poisoning (if waitress is used behind a reverse proxy that is caching) or related issues.
Please see these advisories:
Treatment of LF vs CRLF (CVE-2019-16785): https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
Invalid Transfer-Encoding (CVE-2019-16786): https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
Content-Length sent twice (CVE ID requested): https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
Full release notes for the changes available on PyPI:
https://pypi.org/project/waitress/1.4.0/
Before upgrading in production, please validate that the behavioural changes in Waitress do not break your existing setups. Waitress has become more strict in parsing HTTP messages and this may cause issues with clients that require the less strict behaviour, you will need to update your clients.
Please do not hesitate to file issues (if not security related) on the Github issue tracker: https://github.com/Pylons/waitress/issues
If you have a potential security issue in Waitress, or any Pylons Project, please do not hesitate to email us at: pylons-proj...@googlegroups.com
Thank you,
Bert JW Regeer
Waitress version 1.4.0 has been released, it includes several critical fixes for security issues when using Waitress behind a reverse proxy, all of them related to HTTP request smuggling/splitting which can lead to information disclosure, potential cache poisoning (if waitress is used behind a reverse proxy that is caching) or related issues.
Please see these advisories:
Treatment of LF vs CRLF (CVE-2019-16785): https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
Invalid Transfer-Encoding (CVE-2019-16786): https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
Content-Length sent twice (CVE ID requested): https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
Full release notes for the changes available on PyPI:
https://pypi.org/project/waitress/1.4.0/
Before upgrading in production, please validate that the behavioural changes in Waitress do not break your existing setups. Waitress has become more strict in parsing HTTP messages and this may cause issues with clients that require the less strict behaviour, you will need to update your clients.
Please do not hesitate to file issues (if not security related) on the Github issue tracker: https://github.com/Pylons/waitress/issues
If you have a potential security issue in Waitress, or any Pylons Project, please do not hesitate to email us at: pylons-proj...@googlegroups.com
Thank you,
Bert JW Regeer
Reply all
Reply to author
Forward
0 new messages