waitress@0.6 vulnerabilities

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the front-end proxy, due to incorrect validation.

Upgrade waitress to version 2.1.1 or higher.

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Response Splitting. Lack of validating for line feed/carriage return HTTP Response Splitting in the status line, as well as the key of a header.

Upgrade waitress to version 0.9.0b1 or higher.

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling. It is possible to conduct request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress

Upgrade waitress to version 1.4.0 or higher.

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Potential HTTP pipelining issues and request smuggling attacks might be possible due to waitress not correctly responding to HTTP requests.

Note: An incomplete fix was released in version 1.4.1.

Upgrade waitress to version 1.4.2 or higher.

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling. If a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This could lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message.

Upgrade waitress to version 1.4.0 or higher.

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling. It would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: Transfer-Encoding: gzip, chunked would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining.

Upgrade waitress to version 1.4.0 or higher.

waitress is a Waitress WSGI server.

Affected versions of this package are vulnerable to HTTP response splitting attacks. It is possible to set arbitrary headers in the HTTP response by embedding a \r or \n character in the header value, and sending it to the server.

waitress is a Waitress WSGI server.

Affected versions of this package are vulnerable to WSGI header spoofing. A malicious user could exploit this vulnerability by using an _ character instead of a - in an HTTP header. In the WSGI environ, the X-Auth-User and the X-Auth_User headers are both converted to HTTP_X_Auth_User, allowing the attacker to bypass the protection. This vulnerability is related to CVE-2015-0219