Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2022-0182)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2022.0182

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2022-0182)

Resumen: The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2022-0182 advisory.

Descripción: Summary:
The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2022-0182 advisory.

Vulnerability Insight:
When using Waitress versions 2.1.0 and prior behind a proxy that does not
properly validate the incoming HTTP request matches the RFC7230 standard,
Waitress and the frontend proxy may disagree on where one request starts
and where it ends. This would allow requests to be smuggled via the
front-end proxy to waitress and later behavior. There are two classes of
vulnerability that may lead to request smuggling that are addressed by
this advisory: The use of Python's `int()` to parse strings into integers,
leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`,
where as the standard specifies that the string should contain only digits
or hex digits, and Waitress does not support chunk extensions, however it
was discarding them without validating that they did not contain illegal
characters. This vulnerability has been patched in Waitress 2.1.1

Affected Software/OS:
'python-waitress' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2022-24761
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
Debian Security Information: DSA-5138 (Google Search)
https://www.debian.org/security/2022/dsa-5138
https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
https://github.com/Pylons/waitress/releases/tag/v2.1.1
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2022.0182
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2022-0182)
Resumen:	The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2022-0182 advisory.
Descripción:	Summary: The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2022-0182 advisory. Vulnerability Insight: When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits, and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1 Affected Software/OS: 'python-waitress' package(s) on Mageia 8. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2022-24761 https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 Debian Security Information: DSA-5138 (Google Search) https://www.debian.org/security/2022/dsa-5138 https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0 https://github.com/Pylons/waitress/releases/tag/v2.1.1 https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
Copyright	Copyright (C) 2022 Greenbone AG