chore(deps): update dependency waitress to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
waitress (changelog)	==2.1.2 → ==3.0.1

---

Waitress vulnerable to DoS leading to high CPU usage/resource exhaustion

CVE-2024-49769 / GHSA-3f84-rpwh-47g6

More information

Details

Impact

When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function.

A remote attacker could run waitress out of available sockets with very little resources required.

Patches

Waitress 3.0.1 contains fixes that remove the race condition.

Workarounds

No work-around.

References

• https://github.com/Pylons/waitress/issues/418
• https://github.com/Pylons/waitress/pull/435

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
• https://github.com/Pylons/waitress/issues/418
• https://github.com/Pylons/waitress/pull/435
• https://nvd.nist.gov/vuln/detail/CVE-2024-49769
• https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c
• https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-211.yaml
• https://lists.debian.org/debian-lts-announce/2024/11/msg00012.html
• https://github.com/advisories/GHSA-3f84-rpwh-47g6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Waitress has request processing race condition in HTTP pipelining with invalid first request

CVE-2024-49768 / GHSA-9298-4cf8-g4wj

More information

Details

Impact

A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining.

When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection.

However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed.

Patches

Waitress 3.0.1 fixes the race condition.

Workarounds

Disable channel_request_lookahead, this is set to 0 by default disabling this feature. For this vulnerability this value is required to be changed from the default.

For more information

If you have any questions or comments about this advisory:

• Open an issue in https://github.com/Pylons/waitress/issues (if not sensitive or security related)
• email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)

Thanks

• m4yfly and urn1ce From TianGong Team of Legendsec at Qi'anxin Group.

Severity

• CVSS Score: 9.3 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
• https://github.com/Pylons/waitress/commit/e4359018537af376cf24bd13616d861e2fb76f65
• https://nvd.nist.gov/vuln/detail/CVE-2024-49768
• https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-210.yaml
• https://github.com/advisories/GHSA-9298-4cf8-g4wj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Pylons/waitress (waitress)

v3.0.1

Compare Source

Backward Incompatibilities

- Python 3.8 is no longer supported.
  See https://github.com/Pylons/waitress/pull/445.

Features
~~~~~~~~

- Added support for Python 3.13.
  See https://github.com/Pylons/waitress/pull/445.

Security
~~~~~~~~

- Fix a bug that would lead to Waitress busy looping on select() on a half-open
  socket due to a race condition that existed when creating a new HTTPChannel.
  See https://github.com/Pylons/waitress/pull/435,
  https://github.com/Pylons/waitress/issues/418 and
  https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6

  With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and
  helping track this down.

- No longer strip the header values before passing them to the WSGI environ.
  See https://github.com/Pylons/waitress/pull/434 and
  https://github.com/Pylons/waitress/issues/432

- Fix a race condition in Waitress when `channel_request_lookahead` is enabled
  that could lead to HTTP request smuggling.

  See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj

3.0.0 (2024-02-04)
------------------

- Rename "master" git branch to "main"

- Fix a bug that would appear on macOS whereby if we accept() a socket that is
  already gone, setting socket options would fail and take down the server. See
  https://github.com/Pylons/waitress/pull/399

- Fixed testing of vendored asyncore code to not rely on particular naming for
  errno's. See https://github.com/Pylons/waitress/pull/397

- HTTP Request methods and versions are now validated to meet the HTTP
  standards thereby dropping invalid requests on the floor. See
  https://github.com/Pylons/waitress/pull/423

- No longer close the connection when sending a HEAD request response. See
  https://github.com/Pylons/waitress/pull/428

- Always attempt to send the Connection: close response header when we are
  going to close the connection to let the remote know in more instances.
  https://github.com/Pylons/waitress/pull/429

- Python 3.7 is no longer supported. Add support for Python 3.11, 3.12 and
  PyPy 3.9, 3.10. See https://github.com/Pylons/waitress/pull/412

- Document that trusted_proxy may be set to a wildcard value to trust all
  proxies. See https://github.com/Pylons/waitress/pull/431

Updated Defaults
~~~~~~~~~~~~~~~~

- clear_untrusted_proxy_headers is set to True by default. See
  https://github.com/Pylons/waitress/pull/370

#

##

v3.0.0

Compare Source

3.0.0 (2024-02-04)

• Rename "master" git branch to "main"

• Fix a bug that would appear on macOS whereby if we accept() a socket that is
  already gone, setting socket options would fail and take down the server. See
  #​399

• Fixed testing of vendored asyncore code to not rely on particular naming for
  errno's. See #​397

• HTTP Request methods and versions are now validated to meet the HTTP
  standards thereby dropping invalid requests on the floor. See
  #​423

• No longer close the connection when sending a HEAD request response. See
  #​428

• Always attempt to send the Connection: close response header when we are
  going to close the connection to let the remote know in more instances.
  #​429

• Python 3.7 is no longer supported. Add support for Python 3.11, 3.12 and
  PyPy 3.9, 3.10. See #​412

• Document that trusted_proxy may be set to a wildcard value to trust all
  proxies. See #​431

Updated Defaults

• clear_untrusted_proxy_headers is set to True by default. See
  #​370

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.