openSUSE Security Update: Security update for python-waitress ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1911-1 Rating: moderate References: #1160790 #1161088 #1161089 #1161670 Cross-References: CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for python-waitress to 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1911=1 Package List: - openSUSE Leap 15.2 (noarch): python2-waitress-1.4.3-lp152.4.3.1 python3-waitress-1.4.3-lp152.4.3.1 References: https://www.suse.com/security/cve/CVE-2019-16785.html https://www.suse.com/security/cve/CVE-2019-16786.html https://www.suse.com/security/cve/CVE-2019-16789.html https://www.suse.com/security/cve/CVE-2019-16792.html https://bugzilla.suse.com/1160790 https://bugzilla.suse.com/1161088 https://bugzilla.suse.com/1161089 https://bugzilla.suse.com/1161670