Bug 1468175 - Backport security fix from v1.0.0 to prevent header spoofing via underscore/dash conflation
Summary: Backport security fix from v1.0.0 to prevent header spoofing via underscore/d...
Keywords:
Status: ON_QA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: python-waitress
Version: epel7
Hardware: All
OS: All
unspecified
unspecified
Target Milestone: ---
Assignee: Fedora Infrastructure SIG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-06 07:51 UTC by gernot
Modified: 2020-02-17 00:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description gernot 2017-07-06 07:51:14 UTC
python-waitress received a security fix in Version 1.0.0
(2016-08-31).  The changelog states:

  Security
  ~~~~~~~~

  - Waitress will now drop HTTP headers that contain an underscore in the key
    when received from a client. This is to stop any possible underscore/dash
    conflation that may lead to security issues. See
    https://github.com/Pylons/waitress/pull/80 and
    https://www.djangoproject.com/weblog/2015/jan/13/security/

See https://pypi.python.org/pypi/waitress/1.0.2 and
https://github.com/Pylons/waitress/blob/v1.0.0/CHANGES.txt.

Should this change be backported to python-waitess
version 0.8.9-5.el7 in EPEL?

Comment 1 Fedora Update System 2020-02-16 22:57:37 UTC
FEDORA-EPEL-2020-fa8a2e97c6 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6

Comment 2 Fedora Update System 2020-02-17 00:08:33 UTC
python-waitress-1.4.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6


Note You need to log in before you can comment on or make changes to this bug.