diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2019-12-23 14:59:02 +0100 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2019-12-23 15:09:25 +0100 |
commit | a046a7667c8a7afa0237c668e6ff33f7c10894f7 (patch) | |
tree | ac2425ad3e17ddb19e7d7a9fd3fb7e0e16c75314 | |
parent | 3c58e397cc17e51e1127e971621fb617b04bd33d (diff) | |
download | waitress-a046a7667c8a7afa0237c668e6ff33f7c10894f7.tar.gz |
Add links to advisories for previous security issues
-rw-r--r-- | CHANGES.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index ccc1231..779bd04 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -50,6 +50,11 @@ Security Fixes For more information I can highly recommend the blog post by ZeddYu Lu https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/ + Please see the security advisory for more information: + https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p + + CVE-ID: CVE-2019-16785 + - Waitress used to treat LF the same as CRLF in ``Transfer-Encoding: chunked`` requests, while the maintainer doesn't believe this could lead to a security issue, this is no longer supported and all chunks are now validated to be @@ -75,6 +80,11 @@ Security Fixes ``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity, chunked``. + PLease see the security advisory for more information: + https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p + + CVE-ID: CVE-2019-16786 + - While validating the ``Transfer-Encoding`` header, Waitress now properly handles line-folded ``Transfer-Encoding`` headers or those that contain multiple comma seperated values. This closes a potential issue where a @@ -89,3 +99,6 @@ Security Fixes for a potential request to be split and treated as two requests by HTTP pipelining support in Waitress. If Waitress is now unable to parse the Content-Length header, a 400 Bad Request is sent back to the client. + + Please see the security advisory for more information: + https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6 |