CVE-2018-1000164

Advisory

Gunicorn 19.5.0 includes a fix for CVE-2018-1000164: gunicorn version 19.4.5 contains a CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

====================

- unblock select loop during reload of a sync worker
- security fix: http desync attack
- handle `wsgi.input_terminated`
- added support for str and bytes in unix socket addresses
- fixed `max_requests` setting
- headers values are now encoded as LATN1, not ASCII
- fixed `InotifyReloadeder`: handle `module.__file__` is None
- fixed compatibility with tornado 6
- fixed root logging
- Prevent removalof unix sockets from `reuse_port`
- Clear tornado ioloop before os.fork
- Miscellaneous fixes and improvement for linting using Pylint

Resources

• https://pypi.org/project/gunicorn
• https://pyup.io/changelogs/gunicorn/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000164
• https://github.com/benoitc/gunicorn/issues/1227
• https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5
• https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html
• https://www.debian.org/security/2018/dsa-4186
• https://usn.ubuntu.com/4022-1/