diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2020-01-02 12:42:59 -0800 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2020-01-02 14:49:36 -0800 |
commit | 3a54e2993db7182feaea4602aac7c1fa8f2ca08b (patch) | |
tree | 0bda1cecef04d601d8c10ca03172ec50b8ac0dcd | |
parent | 0bf98dadd8cae23830cb365cc6cb9cedd7f98db0 (diff) | |
download | waitress-3a54e2993db7182feaea4602aac7c1fa8f2ca08b.tar.gz |
Add CHANGES and bump version to 1.4.2
-rw-r--r-- | CHANGES.txt | 31 | ||||
-rw-r--r-- | setup.py | 2 |
2 files changed, 31 insertions, 2 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 71d61bd..c64f683 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,30 @@ +1.4.2 (2020-01-??) +------------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- This is a follow-up to the fix introduced in 1.4.1 to tighten up the way + Waitress strips whitespace from header values. This makes sure Waitress won't + accidentally treat non-printable characters as whitespace and lead to a + potental HTTP request smuggling/splitting security issue. + + Thanks to ZeddYu Lu for the extra test cases. + + Please see the security advisory for more information: + https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 + + CVE-ID: CVE-2019-16789 + +Bugfixes +~~~~~~~~ + +- Updated the regex used to validate header-field content to match the errata + that was published for RFC7230. + + See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189 + + 1.4.1 (2019-12-24) ------------------ @@ -12,6 +39,8 @@ Security Fixes Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 + CVE-ID: CVE-2019-16789 + 1.4.0 (2019-12-20) ------------------ @@ -80,7 +109,7 @@ Security Fixes ``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity, chunked``. - PLease see the security advisory for more information: + Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p CVE-ID: CVE-2019-16786 @@ -34,7 +34,7 @@ testing_extras = [ setup( name="waitress", - version="1.4.1", + version="1.4.2", author="Zope Foundation and Contributors", author_email="zope-dev@zope.org", maintainer="Pylons Project", |