python-waitress received a security fix in Version 1.0.0 (2016-08-31). The changelog states: Security ~~~~~~~~ - Waitress will now drop HTTP headers that contain an underscore in the key when received from a client. This is to stop any possible underscore/dash conflation that may lead to security issues. See https://github.com/Pylons/waitress/pull/80 and https://www.djangoproject.com/weblog/2015/jan/13/security/ See https://pypi.python.org/pypi/waitress/1.0.2 and https://github.com/Pylons/waitress/blob/v1.0.0/CHANGES.txt. Should this change be backported to python-waitess version 0.8.9-5.el7 in EPEL?
FEDORA-EPEL-2020-fa8a2e97c6 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6
python-waitress-1.4.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6
FEDORA-EPEL-2020-fa8a2e97c6 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.