| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 01-fix-sphinxdoc-conf.patch | Don't try to detect the version, don't use Pylons theme. | Andrew Shadura <andrewsh@debian.org> | no | |||
| CVE-2022-24761-1.patch | Add new regular expressions for Chunked Encoding This also moves some regular expressions for QUOTED_PAIR/QUOTED_STRING into this module from utilities so that they may be reused. Part of CVE-2022-24761 |
Bert JW Regeer <bertjw@regeer.org> | no | 2022-03-12 | ||
| CVE-2022-24761-2.patch | Be more strict in parsing Content-Length Validate that we are only parsing digits and nothing else. RFC7230 is explicit in that the Content-Length can only exist of 1*DIGIT and may not include any additional sign information. The Python int() function parses `+10` as `10` which means we were more lenient than the standard intended. Part of CVE-2022-24761 |
Bert JW Regeer <bertjw@regeer.org> | no | 2022-03-12 | ||
| CVE-2022-24761-3.patch | Update tests to remove invalid chunked encoding chunk-size RFC7230 states the following: chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF chunk-size = 1*HEXDIG Where chunk-ext is: chunk-ext = *( ";" chunk-ext-name [ "=" chunk-ext-val ] ) Only if there is a chunk-ext should there be a `;` after the 1*HEXDIG. And a chunk-ext that is empty is invalid. Part of CVE-2022-24761 |
Bert JW Regeer <bertjw@regeer.org> | no | 2022-03-12 | ||
| CVE-2022-24761-4.patch | Error when receiving back Chunk Extension Waitress discards chunked extensions and does no further processing on them, however it failed to validate that the chunked encoding extension did not contain invalid data. We now validate that if there are any chunked extensions that they are well-formed, if they are not and contain invalid characters, then Waitress will now correctly return a Bad Request and stop any further processing of the request. Part of CVE-2022-24761 |
Bert JW Regeer <bertjw@regeer.org> | no | 2022-03-12 | ||
| CVE-2022-24761-5.patch | Validate chunk size in Chunked Encoding are HEXDIG RFC7230 states that a chunk-size should be 1*HEXDIG, this is now validated before passing the resulting string to int() which would also parse other formats for hex, such as: `0x01` as `1` and `+0x01` as `1`. This would lead to a potential for a frontend proxy server and waitress to disagree on where a chunk started and ended, thereby potentially leading to request smuggling. With the increased validation if the size is not just hex digits, Waitress now returns a Bad Request and stops processing the request. Part of CVE-2022-24761 |
Bert JW Regeer <bertjw@regeer.org> | no | 2022-03-12 | ||
| CVE-2022-24761-6.patch | Remove extraneous calls to .strip() in Chunked Encoding To be valid chunked encoding we should not be removing any whitespace as the standard does not allow for optional whitespace. If whitespace is encountered in the wrong place, it should lead to a 400 Bad Request instead. Part of CVE-2022-24761 |
Bert JW Regeer <bertjw@regeer.org> | no | 2022-03-12 |