Waitress version 1.4.0 has been released

1 view
Skip to first unread message

Bert JW Regeer

unread,
Dec 20, 2019, 5:53:25 AM12/20/19
to Pylons Project, Pylons Project
Hey all,

Waitress version 1.4.0 has been released, it includes several critical fixes for security issues when using Waitress behind a reverse proxy, all of them related to HTTP request smuggling/splitting which can lead to information disclosure, potential cache poisoning (if waitress is used behind a reverse proxy that is caching) or related issues.

Please see these advisories:

Treatment of LF vs CRLF (CVE-2019-16785): https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
Invalid Transfer-Encoding (CVE-2019-16786): https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
Content-Length sent twice (CVE ID requested): https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6

Full release notes for the changes available on PyPI:

https://pypi.org/project/waitress/1.4.0/

Before upgrading in production, please validate that the behavioural changes in Waitress do not break your existing setups. Waitress has become more strict in parsing HTTP messages and this may cause issues with clients that require the less strict behaviour, you will need to update your clients.

Please do not hesitate to file issues (if not security related) on the Github issue tracker: https://github.com/Pylons/waitress/issues

If you have a potential security issue in Waitress, or any Pylons Project, please do not hesitate to email us at: pylons-proj...@googlegroups.com

Thank you,
Bert JW Regeer
Reply all
Reply to author
Forward
0 new messages