 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.1.10.2020.0083 |
| Category: | Mageia Linux Local Security Checks |
| Title: | Mageia: Security Advisory (MGASA-2020-0083) |
| Summary: | The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2020-0083 advisory. |
| Description: | Summary: The remote host is missing an update for the 'python-waitress' package(s) announced via the MGASA-2020-0083 advisory. Vulnerability Insight: Updated python-waitress packages fix security vulnerabilities: If a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message (CVE-2019-16785). Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining (CVE-2019-16786). In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure (CVE-2019-16789). Affected Software/OS: 'python-waitress' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 6.4 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2019-16785 https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/ https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba https://www.oracle.com/security-alerts/cpuapr2022.html https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html RedHat Security Advisories: RHSA-2020:0720 https://access.redhat.com/errata/RHSA-2020:0720 Common Vulnerability Exposure (CVE) ID: CVE-2019-16786 https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3 Common Vulnerability Exposure (CVE) ID: CVE-2019-16789 https://github.com/github/advisory-review/pull/14604 https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 |
| Copyright | Copyright (C) 2022 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |