Bug 1468175 - Backport security fix from v1.0.0 to prevent header spoofing via underscore/dash conflation
Backport security fix from v1.0.0 to prevent header spoofing via underscore/d...
Status: NEW
Product: Fedora EPEL
Classification: Fedora
Component: python-waitress (Show other bugs)
epel7
All All
unspecified Severity unspecified
: ---
: ---
Assigned To: Fedora Infrastructure SIG
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-06 03:51 EDT by gernot
Modified: 2017-07-06 03:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description gernot 2017-07-06 03:51:14 EDT
python-waitress received a security fix in Version 1.0.0
(2016-08-31).  The changelog states:

  Security
  ~~~~~~~~

  - Waitress will now drop HTTP headers that contain an underscore in the key
    when received from a client. This is to stop any possible underscore/dash
    conflation that may lead to security issues. See
    https://github.com/Pylons/waitress/pull/80 and
    https://www.djangoproject.com/weblog/2015/jan/13/security/

See https://pypi.python.org/pypi/waitress/1.0.2 and
https://github.com/Pylons/waitress/blob/v1.0.0/CHANGES.txt.

Should this change be backported to python-waitess
version 0.8.9-5.el7 in EPEL?

Note You need to log in before you can comment on or make changes to this bug.