Skip to content

chore(deps): update dependency waitress to v3.0.1 [security] #702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate-bot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency waitress to v3.0.1 [security] #702

renovate-bot wants to merge 1 commit into from

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Oct 29, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
waitress (changelog) ==3.0.0 -> ==3.0.1 age confidence

GitHub Vulnerability Alerts

CVE-2024-49769

Impact

When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function.

A remote attacker could run waitress out of available sockets with very little resources required.

Patches

Waitress 3.0.1 contains fixes that remove the race condition.

Workarounds

No work-around.

References

CVE-2024-49768

Impact

A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining.

When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection.

However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed.

Patches

Waitress 3.0.1 fixes the race condition.

Workarounds

Disable channel_request_lookahead, this is set to 0 by default disabling this feature. For this vulnerability this value is required to be changed from the default.

For more information

If you have any questions or comments about this advisory:

Thanks

  • m4yfly and urn1ce From TianGong Team of Legendsec at Qi'anxin Group.

Release Notes

Pylons/waitress (waitress)

v3.0.1

Compare Source

Backward Incompatibilities


- Python 3.8 is no longer supported.
  See https://github.com/Pylons/waitress/pull/445.

Features
~~~~~~~~

- Added support for Python 3.13.
  See https://github.com/Pylons/waitress/pull/445.

Security
~~~~~~~~

- Fix a bug that would lead to Waitress busy looping on select() on a half-open
  socket due to a race condition that existed when creating a new HTTPChannel.
  See https://github.com/Pylons/waitress/pull/435,
  https://github.com/Pylons/waitress/issues/418 and
  https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6

  With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and
  helping track this down.

- No longer strip the header values before passing them to the WSGI environ.
  See https://github.com/Pylons/waitress/pull/434 and
  https://github.com/Pylons/waitress/issues/432

- Fix a race condition in Waitress when `channel_request_lookahead` is enabled
  that could lead to HTTP request smuggling.

  See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj

3.0.0 (2024-02-04)
------------------

- Rename "master" git branch to "main"

- Fix a bug that would appear on macOS whereby if we accept() a socket that is
  already gone, setting socket options would fail and take down the server. See
  https://github.com/Pylons/waitress/pull/399

- Fixed testing of vendored asyncore code to not rely on particular naming for
  errno's. See https://github.com/Pylons/waitress/pull/397

- HTTP Request methods and versions are now validated to meet the HTTP
  standards thereby dropping invalid requests on the floor. See
  https://github.com/Pylons/waitress/pull/423

- No longer close the connection when sending a HEAD request response. See
  https://github.com/Pylons/waitress/pull/428

- Always attempt to send the Connection: close response header when we are
  going to close the connection to let the remote know in more instances.
  https://github.com/Pylons/waitress/pull/429

- Python 3.7 is no longer supported. Add support for Python 3.11, 3.12 and
  PyPy 3.9, 3.10. See https://github.com/Pylons/waitress/pull/412

- Document that trusted_proxy may be set to a wildcard value to trust all
  proxies. See https://github.com/Pylons/waitress/pull/431

Updated Defaults
~~~~~~~~~~~~~~~~

- clear_untrusted_proxy_headers is set to True by default. See
  https://github.com/Pylons/waitress/pull/370

#

##

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from a team as a code owner October 29, 2024 15:06
@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 29, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch from 8a680fc to 97d8398 Compare March 3, 2025 12:40
@cojenco cojenco mentioned this pull request Mar 3, 2025
Closed
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch from 97d8398 to 637d508 Compare March 3, 2025 23:18
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch from 637d508 to 0a388bc Compare May 28, 2025 13:27
@renovate-bot renovate-bot requested a review from a team as a code owner May 28, 2025 13:27
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch 20 times, most recently from aeee098 to 4f5685b Compare June 4, 2025 21:10
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch 3 times, most recently from 478a8b4 to d0115de Compare June 7, 2025 10:10
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch 11 times, most recently from a1e70df to ae54ccf Compare August 27, 2025 10:41
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch 2 times, most recently from 57fc21f to b6b9ae5 Compare August 28, 2025 05:06
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch 15 times, most recently from 7271505 to 7baa7cf Compare October 8, 2025 21:34
@renovate-bot renovate-bot force-pushed the renovate/pypi-waitress-vulnerability branch from 7baa7cf to e9ec63c Compare October 9, 2025 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kokoro:force-run Add this label to force Kokoro to re-run the tests.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@renovate-bot