Bug 1791415 (CVE-2019-16786)
Summary: | CVE-2019-16786 waitress: HTTP request smuggling through invalid Transfer-Encoding | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bdettelb, dbecker, hvyas, infra-sig, jjoyce, jschluet, jschorr, kbasil, lhh, lorenzo.gil.sanchez, lpeer, mburns, rbean, sclewis, sisharma, slinaber, tomckay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | waitress 1.4.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
An HTTP-interpretation flaw was found in waitress which did not properly validate incoming HTTP headers. When parsing the Transfer-Encoding header, waitress would look only for a single string value. According to the HTTP standard, Transfer-Encoding should be a comma-separated list, with the inner-most encoding first, followed by any further transfer codings, ending with 'chunked'. Because of this flaw, requests sent with: "Transfer-Encoding: gzip, chunked" would get ignored, and waitress would use the Content-Length header instead to determine the body size of the HTTP message. A remote attacker could exploit this flaw to force waitress to accept potentially bad HTTP requests or treat a single request as multiple requests in the case of HTTP pipelining.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-05 16:31:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1791416, 1791417, 1791418, 1791488, 1791489, 1791490, 1793268, 1793269 | ||
Bug Blocks: | 1791419 |
Description
Guilherme de Almeida Suckevicz
2020-01-15 19:33:50 UTC
Created python-waitress tracking bugs for this issue: Affects: epel-all [bug 1791417] Affects: fedora-all [bug 1791416] Affects: openstack-rdo [bug 1791418] While Red Hat Quay declares a dependency on python-waitress, it doesn't appear to be used in the code. Setting the impact to low for Red Hat Quay. It may be fixed in a future version. External References: https://docs.pylonsproject.org/projects/waitress/en/latest/#id6 This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:0720 https://access.redhat.com/errata/RHSA-2020:0720 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16786 Statement: All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low. In Red Hat OpenStack Platform 13, because the flawed code is not used and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package. This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420 |