Prep v1.4.3v1.4.3

author: Bert JW Regeer <bertjw@regeer.org> 2020-02-02 21:50:27 -0800
committer: Bert JW Regeer <bertjw@regeer.org> 2020-02-02 21:50:27 -0800
commit: cbc89bf742ef7cbca17671ec9acd3898491c378f (patch)
tree: 979c5a512a9ab893e590290e4ca680fd0b13a4c7 /CHANGES.txt
parent: 6e46f9e3f014d64dd7d1e258eaf626e39870ee1f (diff)
download: waitress-cbc89bf742ef7cbca17671ec9acd3898491c378f.tar.gz
1 files changed, 16 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index 96bbb3a..701c2b0 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,19 @@
+1.4.3 (2020-02-02)
+------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- In Waitress version 1.4.2 a new regular expression was added to validate the
+  headers that Waitress receives to make sure that it matches RFC7230.
+  Unfortunately the regular expression was written in a way that with invalid
+  input it leads to catastrophic backtracking which allows for a Denial of
+  Service and CPU usage going to a 100%.
+
+  This was reported by Fil Zembowicz to the Pylons Project. Please see
+  https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
+  for more information.
+
 1.4.2 (2020-01-02)
 ------------------
author	Bert JW Regeer <bertjw@regeer.org>	2020-02-02 21:50:27 -0800
committer	Bert JW Regeer <bertjw@regeer.org>	2020-02-02 21:50:27 -0800
commit	cbc89bf742ef7cbca17671ec9acd3898491c378f (patch)
tree	979c5a512a9ab893e590290e4ca680fd0b13a4c7 /CHANGES.txt
parent	6e46f9e3f014d64dd7d1e258eaf626e39870ee1f (diff)
download	waitress-cbc89bf742ef7cbca17671ec9acd3898491c378f.tar.gz