Prep v1.4.3v1.4.3

author: Bert JW Regeer <bertjw@regeer.org> 2020-02-02 21:50:27 -0800
committer: Bert JW Regeer <bertjw@regeer.org> 2020-02-02 21:50:27 -0800
commit: cbc89bf742ef7cbca17671ec9acd3898491c378f (patch)
tree: 979c5a512a9ab893e590290e4ca680fd0b13a4c7
parent: 6e46f9e3f014d64dd7d1e258eaf626e39870ee1f (diff)
download: waitress-1.4.3.tar.gz
2 files changed, 17 insertions, 1 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index 96bbb3a..701c2b0 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,19 @@
+1.4.3 (2020-02-02)
+------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- In Waitress version 1.4.2 a new regular expression was added to validate the
+  headers that Waitress receives to make sure that it matches RFC7230.
+  Unfortunately the regular expression was written in a way that with invalid
+  input it leads to catastrophic backtracking which allows for a Denial of
+  Service and CPU usage going to a 100%.
+
+  This was reported by Fil Zembowicz to the Pylons Project. Please see
+  https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
+  for more information.
+
 1.4.2 (2020-01-02)
 ------------------
 
diff --git a/setup.py b/setup.py
index c32af93..44da229 100644
--- a/setup.py
+++ b/setup.py
@@ -34,7 +34,7 @@ testing_extras = [
 
 setup(
     name="waitress",
-    version="1.4.2",
+    version="1.4.3",
     author="Zope Foundation and Contributors",
     author_email="zope-dev@zope.org",
     maintainer="Pylons Project",
author	Bert JW Regeer <bertjw@regeer.org>	2020-02-02 21:50:27 -0800
committer	Bert JW Regeer <bertjw@regeer.org>	2020-02-02 21:50:27 -0800
commit	cbc89bf742ef7cbca17671ec9acd3898491c378f (patch)
tree	979c5a512a9ab893e590290e4ca680fd0b13a4c7
parent	6e46f9e3f014d64dd7d1e258eaf626e39870ee1f (diff)
download	waitress-1.4.3.tar.gz