CVE-2019-16789

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

------------------

Security Fixes
~~~~~~~~~~~~~~

- Waitress did not properly validate that the HTTP headers it received were
properly formed, thereby potentially allowing a front-end server to treat a
request different from Waitress. This could lead to HTTP request
smuggling/splitting.

Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

CVE-ID: CVE-2019-16789

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
• https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017
• https://github.com/github/advisory-review/pull/14604
• https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
• https://lists.fedoraproject.org/archives/list/[email protected]/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/
• https://access.redhat.com/errata/RHSA-2020:0720
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html