diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2020-02-02 21:50:27 -0800 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2020-02-02 21:50:27 -0800 |
commit | cbc89bf742ef7cbca17671ec9acd3898491c378f (patch) | |
tree | 979c5a512a9ab893e590290e4ca680fd0b13a4c7 | |
parent | 6e46f9e3f014d64dd7d1e258eaf626e39870ee1f (diff) | |
download | waitress-cbc89bf742ef7cbca17671ec9acd3898491c378f.tar.gz |
Prep v1.4.3v1.4.3
-rw-r--r-- | CHANGES.txt | 16 | ||||
-rw-r--r-- | setup.py | 2 |
2 files changed, 17 insertions, 1 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 96bbb3a..701c2b0 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,19 @@ +1.4.3 (2020-02-02) +------------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- In Waitress version 1.4.2 a new regular expression was added to validate the + headers that Waitress receives to make sure that it matches RFC7230. + Unfortunately the regular expression was written in a way that with invalid + input it leads to catastrophic backtracking which allows for a Denial of + Service and CPU usage going to a 100%. + + This was reported by Fil Zembowicz to the Pylons Project. Please see + https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc + for more information. + 1.4.2 (2020-01-02) ------------------ @@ -34,7 +34,7 @@ testing_extras = [ setup( name="waitress", - version="1.4.2", + version="1.4.3", author="Zope Foundation and Contributors", author_email="zope-dev@zope.org", maintainer="Pylons Project", |