When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. Affected Versions <=2.1.0. References: https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 https://bugs.gentoo.org/835492
Created python-waitress tracking bugs for this issue: Affects: epel-all [bug 2065791] Affects: fedora-all [bug 2065790] Affects: openstack-rdo [bug 2065792]
Upstream fix: https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:1253 https://access.redhat.com/errata/RHSA-2022:1253
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:1254 https://access.redhat.com/errata/RHSA-2022:1254
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 - ELS Via RHSA-2022:1264 https://access.redhat.com/errata/RHSA-2022:1264
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24761