Bug 1468175 - Backport security fix from v1.0.0 to prevent header spoofing via underscore/dash conflation
Backport security fix from v1.0.0 to prevent header spoofing via underscore/d...
Status: NEW
Product: Fedora EPEL
Classification: Fedora
Component: python-waitress (Show other bugs)
All All
unspecified Severity unspecified
: ---
: ---
Assigned To: Fedora Infrastructure SIG
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2017-07-06 03:51 EDT by gernot
Modified: 2017-07-06 03:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description gernot 2017-07-06 03:51:14 EDT
python-waitress received a security fix in Version 1.0.0
(2016-08-31).  The changelog states:


  - Waitress will now drop HTTP headers that contain an underscore in the key
    when received from a client. This is to stop any possible underscore/dash
    conflation that may lead to security issues. See
    https://github.com/Pylons/waitress/pull/80 and

See https://pypi.python.org/pypi/waitress/1.0.2 and

Should this change be backported to python-waitess
version 0.8.9-5.el7 in EPEL?

Note You need to log in before you can comment on or make changes to this bug.