Overview Repositories Revisions Requests Users Attributes Meta

Waitress WSGI server

Edit Package python-waitress
No description set
Refresh
Refresh
Source Files
Filename Size Changed
_multibuild 0000000052 52 Bytes
fetch-intersphinx-inventories.sh 0000000070 70 Bytes
python-waitress.changes 0000020521 20 KB
python-waitress.spec 0000003507 3.42 KB
python3.inv 0000107005 104 KB
waitress-2.1.1.tar.gz 0000178336 174 KB
Revision 24 (latest revision is 31)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 962909 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 24) 
- update to 2.1.1 (bsc#1197255, CVE-2022-24761):
  * Waitress now validates that chunked encoding extensions are valid, and don’t
    contain invalid characters that are not allowed. They are still skipped/not
    processed, but if they contain invalid data we no longer continue in and return
    a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling.
    Thanks to Zhang Zeyu for reporting this issue. See
    https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
  * Waitress now validates that the chunk length is only valid hex digits when
    parsing chunked encoding, and values such as 0x01 and +01 are no longer
    supported. This stops potential HTTP desync/HTTP request smuggling. Thanks
    to Zhang Zeyu for reporting this issue. See
    https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
  * Waitress now validates that the Content-Length sent by a remote contains only
    digits in accordance with RFC7230 and will return a 400 Bad Request when the
    Content-Length header contains invalid data, such as +10 which would
    previously get parsed as 10 and accepted. This stops potential HTTP
    desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue.
    See
    https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
Comments 0
openSUSE Build Service is sponsored by
Places