Headline
Ubuntu Security Notice USN-7115-1
Ubuntu Security Notice 7115-1 - It was discovered that Waitress could process follow up requests when receiving a specially crafted message. An attacker could use this issue to have the server process inconsistent client requests. Dylan Jay discovered that Waitress could be lead to write to an unexisting socket after closing the remote connection. An attacker could use this issue to increase resource utilization leading to a denial of service.
==========================================================================
Ubuntu Security Notice USN-7115-1
November 19, 2024
Waitress vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Waitress.
Software Description:
- waitress: production-quality pure-Python WSGI server
Details:
It was discovered that Waitress could process follow up requests when
receiving a specially crafted message. An attacker could use this issue to
have the server process inconsistent client requests. (CVE-2024-49768)
Dylan Jay discovered that Waitress could be lead to write to an unexisting
socket after closing the remote connection. An attacker could use this
issue to increase resource utilization leading to a denial of service.
(CVE-2024-49769)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
python3-waitress 3.0.0-1ubuntu0.1
Ubuntu 24.04 LTS
python3-waitress 2.1.2-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
python3-waitress 1.4.4-1.1ubuntu1.1
Ubuntu 20.04 LTS
python3-waitress 1.4.1-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7115-1
CVE-2024-49768, CVE-2024-49769
Package Information:
https://launchpad.net/ubuntu/+source/waitress/3.0.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/waitress/1.4.4-1.1ubuntu1.1
https://launchpad.net/ubuntu/+source/waitress/1.4.1-1ubuntu0.2
Related news
### Impact A remote client may send a request that is exactly `recv_bytes` (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed. ### Patches Waitress 3.0.1 fixes the race condition. ### Workarounds Disable `channel_request_lookahead`, this is set to `0` by default disabling this feature. For this vulnerability this value is required to be changed from the default. ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com...
### Impact When a remote client closes the connection before waitress has had the opportunity to call `getpeername()` waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. ### Patches Waitress 3.0.1 contains fixes that remove the race condition. ### Workarounds No work-around. ### References - https://github.com/Pylons/waitress/issues/418 - https://github.com/Pylons/waitress/pull/435