Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2022-0182)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2022.0182

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2022-0182)

Zusammenfassung: The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2022-0182 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2022-0182 advisory.

Vulnerability Insight:
When using Waitress versions 2.1.0 and prior behind a proxy that does not
properly validate the incoming HTTP request matches the RFC7230 standard,
Waitress and the frontend proxy may disagree on where one request starts
and where it ends. This would allow requests to be smuggled via the
front-end proxy to waitress and later behavior. There are two classes of
vulnerability that may lead to request smuggling that are addressed by
this advisory: The use of Python's `int()` to parse strings into integers,
leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`,
where as the standard specifies that the string should contain only digits
or hex digits, and Waitress does not support chunk extensions, however it
was discarding them without validating that they did not contain illegal
characters. This vulnerability has been patched in Waitress 2.1.1

Affected Software/OS:
'python-waitress' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2022-24761
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
Debian Security Information: DSA-5138 (Google Search)
https://www.debian.org/security/2022/dsa-5138
https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
https://github.com/Pylons/waitress/releases/tag/v2.1.1
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2022.0182
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2022-0182)
Zusammenfassung:	The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2022-0182 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2022-0182 advisory. Vulnerability Insight: When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits, and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1 Affected Software/OS: 'python-waitress' package(s) on Mageia 8. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2022-24761 https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 Debian Security Information: DSA-5138 (Google Search) https://www.debian.org/security/2022/dsa-5138 https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0 https://github.com/Pylons/waitress/releases/tag/v2.1.1 https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
Copyright	Copyright (C) 2022 Greenbone AG