Bug 1160790 - (CVE-2019-16789) VUL-0: CVE-2019-16789: python-waitress: HTTP Request Smuggling through Invalid whitespace characters
(CVE-2019-16789)
VUL-0: CVE-2019-16789: python-waitress: HTTP Request Smuggling through Invali...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/249798/
CVSSv3.1:SUSE:CVE-2019-16789:7.1:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-13 15:37 UTC by Alexandros Toptsoglou
Modified: 2020-12-09 16:11 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-01-13 15:37:52 UTC
CVE-2019-16789

In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. 

Upstream patch:

https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017

References:

https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1789807
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16789
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16789.html
https://github.com/github/advisory-review/pull/14604
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
Comment 1 Alexandros Toptsoglou 2020-01-13 15:40:00 UTC
Tracked all cloud and ses5 codestreams as affected
Comment 11 Swamp Workflow Management 2020-07-14 16:15:57 UTC
SUSE-SU-2020:1901-1: An update that solves 23 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1068612,1092420,1107190,1108719,1123872,1126503,1141968,11483483,1148383,1153191,1156525,1159046,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161670,1164322,1167244,1168593,1169770,1170657,1171273,1171560,1171594,1171661,1171909,1172166,1172167,1172175,1172176,1172409
CVE References: CVE-2017-1000246,CVE-2019-1010083,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19911,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.4.6.0-3.9.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, crowbar-core-5.0+git.1593156248.55bbdb26d-3.41.2, crowbar-openstack-5.0+git.1593085772.64c4ab43c-4.40.2, documentation-suse-openstack-cloud-deployment-8.20200527-1.26.1, documentation-suse-openstack-cloud-supplement-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-admin-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-3.12.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-3.9.1, storm-1.1.3-3.3.1
SUSE OpenStack Cloud 8 (src):    ansible-2.4.6.0-3.9.1, ansible1-1.9.6-7.3.1, ardana-ansible-8.0+git.1589740980.6c3bcdc-3.73.1, ardana-cluster-8.0+git.1585685203.3e71e49-3.36.1, ardana-freezer-8.0+git.1586539529.b7d295f-3.21.1, ardana-input-model-8.0+git.1589740934.0e0ad61-3.39.1, ardana-logging-8.0+git.1591194866.b7375d0-3.24.1, ardana-mq-8.0+git.1589715269.62ad6df-3.22.1, ardana-neutron-8.0+git.1590756744.ba84abc-3.42.1, ardana-octavia-8.0+git.1590100427.cf4cc8f-3.29.1, ardana-osconfig-8.0+git.1587034587.eac37b8-3.45.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, documentation-suse-openstack-cloud-installation-8.20200527-1.26.1, documentation-suse-openstack-cloud-operations-8.20200527-1.26.1, documentation-suse-openstack-cloud-opsconsole-8.20200527-1.26.1, documentation-suse-openstack-cloud-planning-8.20200527-1.26.1, documentation-suse-openstack-cloud-security-8.20200527-1.26.1, documentation-suse-openstack-cloud-supplement-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-admin-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-user-8.20200527-1.26.1, documentation-suse-openstack-cloud-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-GitPython-2.1.8-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, storm-1.1.3-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.26.2, venv-openstack-barbican-5.0.2~dev3-12.27.2, venv-openstack-ceilometer-9.0.8~dev7-12.24.2, venv-openstack-cinder-11.2.3~dev23-14.27.2, venv-openstack-designate-5.0.3~dev7-12.25.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.22.1, venv-openstack-glance-15.0.3~dev3-12.25.1, venv-openstack-heat-9.0.8~dev22-12.27.1, venv-openstack-horizon-12.0.5~dev3-14.30.1, venv-openstack-ironic-9.1.8~dev8-12.27.2, venv-openstack-keystone-12.0.4~dev11-11.28.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.26.2, venv-openstack-manila-5.1.1~dev5-12.31.2, venv-openstack-monasca-2.2.2~dev1-11.22.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.22.2, venv-openstack-murano-4.0.2~dev2-12.22.1, venv-openstack-neutron-11.0.9~dev65-13.30.2, venv-openstack-nova-16.1.9~dev61-11.28.2, venv-openstack-octavia-1.0.6~dev3-12.27.2, venv-openstack-sahara-7.0.5~dev4-11.26.2, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.18.1, venv-openstack-trove-8.0.2~dev2-11.26.1
HPE Helion Openstack 8 (src):    ansible-2.4.6.0-3.9.1, ansible1-1.9.6-7.3.1, ardana-ansible-8.0+git.1589740980.6c3bcdc-3.73.1, ardana-cluster-8.0+git.1585685203.3e71e49-3.36.1, ardana-freezer-8.0+git.1586539529.b7d295f-3.21.1, ardana-input-model-8.0+git.1589740934.0e0ad61-3.39.1, ardana-logging-8.0+git.1591194866.b7375d0-3.24.1, ardana-mq-8.0+git.1589715269.62ad6df-3.22.1, ardana-neutron-8.0+git.1590756744.ba84abc-3.42.1, ardana-octavia-8.0+git.1590100427.cf4cc8f-3.29.1, ardana-osconfig-8.0+git.1587034587.eac37b8-3.45.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, documentation-hpe-helion-openstack-installation-8.20200527-1.26.1, documentation-hpe-helion-openstack-operations-8.20200527-1.26.1, documentation-hpe-helion-openstack-opsconsole-8.20200527-1.26.1, documentation-hpe-helion-openstack-planning-8.20200527-1.26.1, documentation-hpe-helion-openstack-security-8.20200527-1.26.1, documentation-hpe-helion-openstack-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-dashboard-theme-HPE-8+git.1523473653.6599ec8-3.3.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-GitPython-2.1.8-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, storm-1.1.3-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.26.2, venv-openstack-barbican-5.0.2~dev3-12.27.2, venv-openstack-ceilometer-9.0.8~dev7-12.24.2, venv-openstack-cinder-11.2.3~dev23-14.27.2, venv-openstack-designate-5.0.3~dev7-12.25.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.22.1, venv-openstack-glance-15.0.3~dev3-12.25.1, venv-openstack-heat-9.0.8~dev22-12.27.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.30.1, venv-openstack-ironic-9.1.8~dev8-12.27.2, venv-openstack-keystone-12.0.4~dev11-11.28.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.26.2, venv-openstack-manila-5.1.1~dev5-12.31.2, venv-openstack-monasca-2.2.2~dev1-11.22.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.22.2, venv-openstack-murano-4.0.2~dev2-12.22.1, venv-openstack-neutron-11.0.9~dev65-13.30.2, venv-openstack-nova-16.1.9~dev61-11.28.2, venv-openstack-octavia-1.0.6~dev3-12.27.2, venv-openstack-sahara-7.0.5~dev4-11.26.2, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.18.1, venv-openstack-trove-8.0.2~dev2-11.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-07-29 19:15:05 UTC
SUSE-RU-2020:2072-1: An update that solves 31 vulnerabilities and has 8 fixes is now available.

Category: recommended (low)
Bug References: 1037777,1068612,1069468,1070737,1077718,1083903,1111657,1126503,1133817,1135773,1138748,1148383,1149110,1149535,1153191,1156525,1159447,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161349,1161670,1164316,1165402,1167244,1170657,1171560,1171909,1172166,1172167,1172175,1172176,1172409,948198,981848
CVE References: CVE-2017-1000246,CVE-2017-4965,CVE-2017-4967,CVE-2018-1000115,CVE-2019-0201,CVE-2019-11596,CVE-2019-15026,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19844,CVE-2019-19911,CVE-2019-3498,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5247,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
JIRA References: ECO-1256,SOC-10357,SOC-11067,SOC-11077,SOC-11079,SOC-11082,SOC-11122,SOC-11174,SOC-11187,SOC-11224,SOC-11238,SOC-11243,SOC-11248,SOC-11251,SOC-11286,SOC-9298,SOC-9801
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-12.2, crowbar-core-4.0+git.1580209654.1d112d31f-9.66.5, crowbar-ha-4.0+git.1585316203.d6ad2c8-4.52.4, crowbar-openstack-4.0+git.1589804581.9972163f0-9.71.4, grafana-4.6.5-1.14.1, keepalived-2.0.19-1.8.1, kibana-4.6.3-5.1, memcached-1.5.17-3.6.1, monasca-installer-20180608_12.47-12.1, openstack-dashboard-theme-SUSE-2016.2-5.12.4, openstack-manila-3.0.1~dev30-4.12.2, openstack-manila-doc-3.0.1~dev30-4.12.3, openstack-neutron-fwaas-9.0.2~dev5-4.9.3, openstack-neutron-fwaas-doc-9.0.2~dev5-4.9.4, openstack-nova-14.0.11~dev13-4.40.2, openstack-nova-doc-14.0.11~dev13-4.40.2, openstack-tempest-12.2.1~a0~dev177-4.9.1, python-Django-1.8.19-3.23.1, python-Pillow-2.8.1-4.12.1, python-psql2mysql-0.5.0+git.1589351878.4ef877c-1.12.1, python-psutil-1.2.1-21.1, python-py-1.8.1-11.12.1, python-pysaml2-4.0.2-3.17.1, python-waitress-1.4.3-3.3.1, rabbitmq-server-3.4.4-3.16.1, release-notes-suse-openstack-cloud-7.20180803-3.18.3, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-7.20.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-4.6.1, zookeeper-3.4.10-6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-08-07 01:13:56 UTC
SUSE-RU-2020:2161-1: An update that solves 24 vulnerabilities and has 10 fixes is now available.

Category: recommended (moderate)
Bug References: 1019111,1107190,1126503,1136928,1153191,1159046,1159447,1160151,1160152,1160153,1160192,1160790,1161088,1161089,1161670,1161919,1163446,1165022,1170657,1171070,1171071,1171072,1171273,1171594,1171909,1172166,1172167,1172409,1172522,1173413,1173416,1173418,1173420,1174006
CVE References: CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-19844,CVE-2019-19911,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10743,CVE-2020-10755,CVE-2020-10994,CVE-2020-11538,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5311,CVE-2020-5312,CVE-2020-5313,CVE-2020-7471,CVE-2020-8184,CVE-2020-9402
JIRA References: SOC-10029,SOC-10106,SOC-10124,SOC-10317,SOC-10357,SOC-11077,SOC-11082,SOC-11126,SOC-11176,SOC-11203,SOC-11209,SOC-11241,SOC-11243,SOC-11248,SOC-11249,SOC-11274,SOC-11279,SOC-11286,SOC-11289,SOC-11294,SOC-11297,SOC-11298,SOC-11299,SOC-11306,SOC-11314,SOC-11330,SOC-11341,SOC-11342,SOC-6780,SOC-9235,SOC-9775
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1594619891.b75a61d0d-3.25.5, crowbar-openstack-6.0+git.1591795073.49cb6400e-3.25.3, grafana-6.2.5-3.12.2, kibana-4.6.3-4.3.2, openstack-barbican-7.0.1~dev24-3.9.5, openstack-ceilometer-11.1.1~dev7-3.16.3, openstack-cinder-13.0.10~dev12-3.22.4, openstack-dashboard-14.1.1~dev6-3.15.5, openstack-designate-7.0.2~dev2-3.19.3, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.6.2, openstack-ironic-11.1.5~dev6-3.19.3, openstack-keystone-14.2.1~dev4-3.22.3, openstack-magnum-7.2.1~dev1-3.13.3, openstack-manila-7.4.2~dev31-4.24.3, openstack-monasca-agent-2.8.2~dev5-3.9.3, openstack-neutron-13.0.8~dev68-3.25.3, openstack-neutron-vsphere-2.0.1~dev167-3.3.3, openstack-nova-18.3.1~dev38-3.25.4, openstack-octavia-3.2.3~dev7-3.25.3, openstack-octavia-amphora-image-0.1.4-7.12.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-5.3.2, python-Django1-1.11.29-3.15.2, python-Pillow-5.2.0-3.3.2, python-heatclient-1.16.3-3.3.3, python-neutron-tempest-plugin-0.2.0-3.3.2, python-octavia-tempest-plugin-0.2.0-3.3.2, python-os-brick-2.5.10-3.12.3, python-oslo.messaging-8.1.4-3.6.2, python-pyroute2-0.5.2-4.3.2, python-urllib3-1.23-3.12.2, python-waitress-1.4.3-3.3.1, release-notes-suse-openstack-cloud-9.20200610-3.21.4, rubygem-activeresource-4.0.0-4.3.1, rubygem-json-1_7-1.7.7-4.3.1, rubygem-puma-2.16.0-4.9.1
SUSE OpenStack Cloud 9 (src):    ansible1-1.9.6-9.7.2, ardana-ansible-9.0+git.1591138508.e269bdb-3.22.2, ardana-cobbler-9.0+git.1588181228.bae3b1f-3.13.2, ardana-glance-9.0+git.1593631708.9354a78-3.13.2, ardana-input-model-9.0+git.1589740948.c24fc0b-3.19.2, ardana-logging-9.0+git.1591193994.d93b668-3.13.2, ardana-manila-9.0+git.1594158642.b5905e4-3.12.2, ardana-monasca-9.0+git.1589385256.7fbfaaf-3.19.2, ardana-mq-9.0+git.1593618110.cbd1a37-3.16.2, ardana-neutron-9.0+git.1590756257.e09d54f-3.22.2, ardana-octavia-9.0+git.1590079609.a2ae6ab-3.19.2, ardana-tempest-9.0+git.1593033709.9495bb2-3.16.2, grafana-6.2.5-3.12.2, kibana-4.6.3-4.3.2, openstack-barbican-7.0.1~dev24-3.9.5, openstack-ceilometer-11.1.1~dev7-3.16.3, openstack-cinder-13.0.10~dev12-3.22.4, openstack-dashboard-14.1.1~dev6-3.15.5, openstack-designate-7.0.2~dev2-3.19.3, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.6.2, openstack-ironic-11.1.5~dev6-3.19.3, openstack-keystone-14.2.1~dev4-3.22.3, openstack-magnum-7.2.1~dev1-3.13.3, openstack-manila-7.4.2~dev31-4.24.3, openstack-monasca-agent-2.8.2~dev5-3.9.3, openstack-neutron-13.0.8~dev68-3.25.3, openstack-neutron-vsphere-2.0.1~dev167-3.3.3, openstack-nova-18.3.1~dev38-3.25.4, openstack-octavia-3.2.3~dev7-3.25.3, openstack-octavia-amphora-image-0.1.4-7.12.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-5.3.2, python-Django1-1.11.29-3.15.2, python-Pillow-5.2.0-3.3.2, python-ardana-packager-0.0.3-9.3.2, python-heatclient-1.16.3-3.3.3, python-neutron-tempest-plugin-0.2.0-3.3.2, python-octavia-tempest-plugin-0.2.0-3.3.2, python-os-brick-2.5.10-3.12.3, python-oslo.messaging-8.1.4-3.6.2, python-pyroute2-0.5.2-4.3.2, python-urllib3-1.23-3.12.2, python-waitress-1.4.3-3.3.1, release-notes-suse-openstack-cloud-9.20200610-3.21.4, venv-openstack-barbican-7.0.1~dev24-3.19.3, venv-openstack-cinder-13.0.10~dev12-3.19.2, venv-openstack-designate-7.0.2~dev2-3.19.2, venv-openstack-glance-17.0.1~dev30-3.17.2, venv-openstack-heat-11.0.3~dev35-3.19.2, venv-openstack-horizon-14.1.1~dev6-4.18.3, venv-openstack-ironic-11.1.5~dev6-4.15.2, venv-openstack-keystone-14.2.1~dev4-3.19.2, venv-openstack-magnum-7.2.1~dev1-4.19.2, venv-openstack-manila-7.4.2~dev31-3.21.2, venv-openstack-monasca-2.7.1~dev10-3.17.3, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.19.2, venv-openstack-neutron-13.0.8~dev68-6.19.2, venv-openstack-nova-18.3.1~dev38-3.19.3, venv-openstack-octavia-3.2.3~dev7-4.19.2, venv-openstack-sahara-9.0.2~dev15-3.19.2, venv-openstack-swift-2.19.2~dev48-2.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Jacek Tomasiak 2020-08-18 13:27:34 UTC
Security, please review and close when appropriate
Comment 16 Wolfgang Frisch 2020-08-18 14:05:40 UTC
Fixed:
SUSE:SLE-12-SP3:Update:Products:Cloud7:Update
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update 

Missing:
SUSE:SLE-12-SP3:Update:Products:SES5:Update
SUSE:SLE-15:Update
Comment 17 Holger Sickenberg 2020-09-04 09:15:48 UTC
Adding Lenz, Nathan and Tim to check for their parts of SES5.
Comment 20 Swamp Workflow Management 2020-11-10 20:18:00 UTC
SUSE-SU-2020:3269-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160790,1161088,1161089,1161670
CVE References: CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    python-waitress-1.4.3-3.3.1
SUSE Linux Enterprise Server 15-LTSS (src):    python-waitress-1.4.3-3.3.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    python-waitress-1.4.3-3.3.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    python-waitress-1.4.3-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    python-waitress-1.4.3-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-waitress-1.4.3-3.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    python-waitress-1.4.3-3.3.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    python-waitress-1.4.3-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-11-11 14:48:44 UTC
SUSE-SU-2020:3292-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160790,1161088,1161089,1161670
CVE References: CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792
JIRA References: 
Sources used:
SUSE Enterprise Storage 5 (src):    python-waitress-1.4.3-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2020-11-14 11:18:25 UTC
openSUSE-SU-2020:1911-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160790,1161088,1161089,1161670
CVE References: CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    python-waitress-1.4.3-lp152.4.3.1
Comment 23 Swamp Workflow Management 2020-11-14 23:16:15 UTC
openSUSE-SU-2020:1922-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160790,1161088,1161089,1161670
CVE References: CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    python-waitress-1.4.3-lp151.3.3.1
Comment 24 Wolfgang Frisch 2020-12-09 16:11:32 UTC
Released.