Bug 1468175 - Backport security fix from v1.0.0 to prevent header spoofing via underscore/dash conflation
Summary: Backport security fix from v1.0.0 to prevent header spoofing via underscore/d...
Status: ON_QA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: python-waitress
Version: epel7
Hardware: All
OS: All
Target Milestone: ---
Assignee: Fedora Infrastructure SIG
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2017-07-06 07:51 UTC by gernot
Modified: 2020-02-17 00:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug

Attachments (Terms of Use)

Description gernot 2017-07-06 07:51:14 UTC
python-waitress received a security fix in Version 1.0.0
(2016-08-31).  The changelog states:


  - Waitress will now drop HTTP headers that contain an underscore in the key
    when received from a client. This is to stop any possible underscore/dash
    conflation that may lead to security issues. See
    https://github.com/Pylons/waitress/pull/80 and

See https://pypi.python.org/pypi/waitress/1.0.2 and

Should this change be backported to python-waitess
version 0.8.9-5.el7 in EPEL?

Comment 1 Fedora Update System 2020-02-16 22:57:37 UTC
FEDORA-EPEL-2020-fa8a2e97c6 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6

Comment 2 Fedora Update System 2020-02-17 00:08:33 UTC
python-waitress-1.4.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6

Note You need to log in before you can comment on or make changes to this bug.