Bug 1468175

Summary: Backport security fix from v1.0.0 to prevent header spoofing via underscore/dash conflation
Product: [Fedora] Fedora EPEL Reporter: gernot
Component: python-waitressAssignee: Fedora Infrastructure SIG <infra-sig>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: infra-sig, rbean
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: python-waitress-1.4.3-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-04 14:41:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description gernot 2017-07-06 07:51:14 UTC 
python-waitress received a security fix in Version 1.0.0
(2016-08-31).  The changelog states:

  Security
  ~~~~~~~~

  - Waitress will now drop HTTP headers that contain an underscore in the key
    when received from a client. This is to stop any possible underscore/dash
    conflation that may lead to security issues. See
    https://github.com/Pylons/waitress/pull/80 and
    https://www.djangoproject.com/weblog/2015/jan/13/security/

See https://pypi.python.org/pypi/waitress/1.0.2 and
https://github.com/Pylons/waitress/blob/v1.0.0/CHANGES.txt.

Should this change be backported to python-waitess
versionĀ 0.8.9-5.el7 in EPEL?
Comment 1 Fedora Update System 2020-02-16 22:57:37 UTC 
FEDORA-EPEL-2020-fa8a2e97c6 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6
Comment 2 Fedora Update System 2020-02-17 00:08:33 UTC 
python-waitress-1.4.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6
Comment 3 Fedora Update System 2020-09-04 14:41:16 UTC 
FEDORA-EPEL-2020-fa8a2e97c6 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.