 |
Inicial ▼ Bookkeeping
Online ▼ Auditorias ▼
DNS
Administrado ▼
Acerca de DNS
Ordenar/Renovar
Preguntas Frecuentes
AUP
Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password Monitoreo
de Redes ▼
Enterprise
Avanzado
Estándarr
Prueba
Preguntas Frecuentes
Resumen de Precio/Funciones
Ordenar
Muestras
Configure/Status Alert Profiles | ||
| ID de Prueba: | 1.3.6.1.4.1.25623.1.1.10.2020.0083 |
| Categoría: | Mageia Linux Local Security Checks |
| Título: | Mageia: Security Advisory (MGASA-2020-0083) |
| Resumen: | The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2020-0083 advisory. |
| Descripción: | Summary: The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2020-0083 advisory. Vulnerability Insight: Updated python-waitress packages fix security vulnerabilities: If a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message (CVE-2019-16785). Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining (CVE-2019-16786). In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure (CVE-2019-16789). Affected Software/OS: 'python-waitress' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 6.4 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N |
| Referencia Cruzada: |
Common Vulnerability Exposure (CVE) ID: CVE-2019-16785 https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/ https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba https://www.oracle.com/security-alerts/cpuapr2022.html https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html RedHat Security Advisories: RHSA-2020:0720 https://access.redhat.com/errata/RHSA-2020:0720 Common Vulnerability Exposure (CVE) ID: CVE-2019-16786 https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3 Common Vulnerability Exposure (CVE) ID: CVE-2019-16789 https://github.com/github/advisory-review/pull/14604 https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 |
| Copyright | Copyright (C) 2022 Greenbone AG |
| Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora. |