Detections
Analytics

Debian DLA-2056-1 : waitress security update

high Nessus Plugin ID 132593

Language:

Synopsis

The remote Debian host is missing a security update.

Description

It was discovered that there was a HTTP request smuggling vulnerability in waitress, pure-Python WSGI server.

If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for request smuggling.

Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or information disclosure.

For Debian 8 'Jessie', this issue has been fixed in waitress version 0.8.9-2+deb8u1.

We recommend that you upgrade your waitress packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2020/01/msg00002.html

https://packages.debian.org/source/jessie/waitress

Plugin Details

Severity: High

ID: 132593

File Name: debian_DLA-2056.nasl

Version: 1.3

Type: local

Agent: unix

Published: 1/2/2020

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:python-waitress, p-cpe:/a:debian:debian_linux:python-waitress-doc, p-cpe:/a:debian:debian_linux:python3-waitress, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 1/1/2020

Vulnerability Publication Date: 1/1/2020