#1086467 waitress: CVE-2024-49768: Request processing race condition in HTTP pipelining with invalid first request #1086467
- Package:
- src:waitress
- Source:
- src:waitress
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-22 15:35:04 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for waitress. CVE-2024-49768[0]: | Waitress is a Web Server Gateway Interface server for Python 2 and | 3. A remote client may send a request that is exactly recv_bytes | (defaults to 8192) long, followed by a secondary request using HTTP | pipelining. When request lookahead is disabled (default) we won't | read any more requests, and when the first request fails due to a | parsing error, we simply close the connection. However when request | lookahead is enabled, it is possible to process and receive the | first request, start sending the error message back to the client | while we read the next request and queue it. This will allow the | secondary request to be serviced by the worker thread while the | connection should be closed. Waitress 3.0.1 fixes the race | condition. As a workaround, disable channel_request_lookahead, this | is set to 0 by default disabling this feature. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-49768 https://www.cve.org/CVERecord?id=CVE-2024-49768 [1] https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj Regards, Salvatore
Hello, Bug #1086467 in waitress reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/python-team/packages/waitress/-/commit/14a0d1cb2ce5faeed0c6ab2ed66f2166267944f7 ------------------------------------------------------------------------ Update upstream source from tag 'upstream/3.0.1' Update to upstream version '3.0.1' with Debian dir 325de64d7ca048909e162a3a6b031708f35475fe Closes: #1086467, #1086468 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1086467
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086467@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 30 Oct 2024 23:22:09 +0000
Source: waitress
Architecture: source
Version: 3.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1086467 1086468
Changes:
waitress (3.0.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-49768: Fix a race condition in Waitress when
`channel_request_lookahead` is enabled that could lead to HTTP request
smuggling (closes: #1086467).
- CVE-2024-49769: Fix a bug that would lead to Waitress busy looping on
select() on a half-open socket due to a race condition that existed
when creating a new HTTPChannel (closes: #1086468).
Checksums-Sha1:
9869bbe1ad67e6a2769cd8dc12b47ea54014ca9f 2410 waitress_3.0.1-1.dsc
56f5c350cb329058f2ed996f46a6a809d0a8994f 174572 waitress_3.0.1.orig.tar.gz
275cc984f9952d39ae85bfc1638c29e07b83cba6 8164 waitress_3.0.1-1.debian.tar.xz
Checksums-Sha256:
3e5a0500fc3548ba2ab39950c80b8142b53177da5a80a3675feaf6c9a63eaa77 2410 waitress_3.0.1-1.dsc
1580a323734fbf3a95a2ed98e0cb3d3938fa7ef97f1a31897a26bd246ed5a70d 174572 waitress_3.0.1.orig.tar.gz
f6f41b0767fda30ad86b48c109ed46bc3f5180d5fd4bf9fcacb859f290933307 8164 waitress_3.0.1-1.debian.tar.xz
Files:
475cd69ad8088c8b566da718819f28e6 2410 python optional waitress_3.0.1-1.dsc
b70b7601406e1bdb5514108421b9e930 174572 python optional waitress_3.0.1.orig.tar.gz
8d7eb1a8a197a63d4c4e9b704aec24e6 8164 python optional waitress_3.0.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmciwAIACgkQOTWH2X2G
UAtjkQ//TfP4S/CP25Zt+M5rXgqZzCs+F4PqyRG8DfLYG7fTEgd1a3DlBDLdH70R
rO2Ld/wSU7cB+2uYfYi9UTdESbao37IESNNe9KjQM6TEW6hZb6TFoAxPVAj6e3oi
zyNoio4B8LbkDDf4ADM2cM3Ln7OUqYR6Pqx4B3xWBqka3ao6t8v4+zPyAXKhz+Ic
+CwucYe0eR7dNDmQDjK6ICpAa84PJ8w1WAPu1D3QmkMckZ4WnadtC00WZDAiQ29y
FU89RDvnoiMb1Zwqx9BosslShSr0EbrgtAPSpGj1I2qGH3Vb1mjigU8mm/ou1nlB
el+6grDrzx45hhkYlRtpn5WyQT12/MYoYGczf58VHLzBANL3Jd9N+anXl9RhfybM
zhBv5daPjnehkiTBiAo3Bkzvd2JRuSexNKIkhvmogEHvPpTTYxaHo6jGNVdJZryy
pVYuhf6rFWqoeq8Beqxltz/PJTkbO/u2Dl03VfWIj1FY4LusiWZMX9EbpkBboO87
y8ddPPeBwWIklDq7pkiA+9P1jlof8PiXw08DbG4oXYqV1qmwBY1PH5oSZKCxk6Sg
cw17WeOmh6dZdVLRTFZe9PWLI/JyIySaSsb8UGlhBD6XiADyER5FJIkHIr30xhxP
qVYq/D3urgLtt0vrwt3UX62v5ab/XD/PQ0pLaDfag3O2auj636s=
=TiLO
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086467@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 20 Aug 2025 18:31:13 +0300
Source: waitress
Architecture: source
Version: 2.1.2-2+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1086467 1086468
Changes:
waitress (2.1.2-2+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2024-49768: race condition in HTTP pipelining
(Closes: #1086467)
* CVE-2024-49769: DoS due to resource exhaustion
(Closes: #1086468)
Checksums-Sha1:
56bc868af072450c4e4979ac96af4f3af249e564 2299 waitress_2.1.2-2+deb12u1.dsc
f7521481bee6e99b5044da3c77999aa5902c61a7 175032 waitress_2.1.2.orig.tar.gz
9296f71c32a56d86acda6cb4b5e40bd5af40522f 12716 waitress_2.1.2-2+deb12u1.debian.tar.xz
Checksums-Sha256:
c8079d218b87a5f808af7a8f87c05379ce1fe90c33c2125a08c707b0c9f0aa12 2299 waitress_2.1.2-2+deb12u1.dsc
2de9b24b8097c82535aa6f512d9c93096c51affd22cb640342c21761a5b38873 175032 waitress_2.1.2.orig.tar.gz
8c49f2afbc23ff6ecd24f825d45e32e3e3c1a2c155d43487072866cf6bc31bc3 12716 waitress_2.1.2-2+deb12u1.debian.tar.xz
Files:
dc068fe0a135befe86750aa174da6900 2299 python optional waitress_2.1.2-2+deb12u1.dsc
7e638718297970d1d3f37e48f225a082 175032 python optional waitress_2.1.2.orig.tar.gz
ad6ab8215dcda4a2a4cb3e5ed0c43b1f 12716 python optional waitress_2.1.2-2+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmil7ZEACgkQiNJCh6LY
mLHqEA//cMZVI9mDD1eh6rCQ5hTIxNXYMijSQm4wvwtbXBAKluS4whq4qqEv2OEX
8C7LclRuuJH1t/VYyPym1jSRU/opWIDd6paMAss5bvOUhWp8i2aW2VH05Gg4siPJ
xowEGPBbPcs/0wzOadWkmCczRho7lDKT8c5TMDfHmQGFEXcVtIZ6+m/vFhnKt9r5
uKkgza2JlT93l5nN29NGoVGAgBPM1UZW0/hS92GQJvblkJ0SkwATBL1irZKodbaO
JOfIEL0r4ILTs5yD8jGMASXW0+AhHpxILQq2JUb1BGpjFpgkMAxiNxa1ThINd0BB
nBsdRkx5xrNrdX6pdCFvp7TKIZC5sTn1PGcHV4q/MVWGggVZ1re3jAqMsqHG8y6l
NI53Gzos7bwE9noKMMOZIl/CqMTLWFfn8eJTx3Vt/rEGO9Zxz5f6aPAtRRiNjYp+
h4y1MylbyTxBuwTOifku/5Qh2EEzQLRjdYvSBs3tqqGwlNGA/s0P5sn3Ph3Iu34U
8I4EvLu+b8ZSEWUFtwmlVuDwvwOL9XfEb1SSTgXQtSvcD6mrZen9JOdDSE7LbDpi
VYefKaU/xOuRKCMbjWv9EflicYDh+JeM7YoEhEal2wUvJWk0lka8vNLTGl3+b7Cz
7JOb1qc+8nafwBrTII679JPd2pS4vtNhPslA5ki9mKVJ0nb/Q6U=
=hLpA
-----END PGP SIGNATURE-----