SUSE alert SUSE-SU-2020:3292-1 (python-waitress)
| From: | sle-security-updates@lists.suse.com | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2020:3292-1: moderate: Security update for python-waitress | |
| Date: | Wed, 11 Nov 2020 15:48:39 +0100 | |
| Message-ID: | <20201111144839.57ABFFFA8@maintenance.suse.de> |
SUSE Security Update: Security update for python-waitress ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3292-1 Rating: moderate References: #1160790 #1161088 #1161089 #1161670 Cross-References: CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for python-waitress to version 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3292=1 Package List: - SUSE Enterprise Storage 5 (noarch): python-waitress-1.4.3-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-16785.html https://www.suse.com/security/cve/CVE-2019-16786.html https://www.suse.com/security/cve/CVE-2019-16789.html https://www.suse.com/security/cve/CVE-2019-16792.html https://bugzilla.suse.com/1160790 https://bugzilla.suse.com/1161088 https://bugzilla.suse.com/1161089 https://bugzilla.suse.com/1161670