- Package:
- src:waitress
- Source:
- src:waitress
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-22 15:35:04 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for waitress. CVE-2024-49769[0]: | Waitress is a Web Server Gateway Interface server for Python 2 and | 3. When a remote client closes the connection before waitress has | had the opportunity to call getpeername() waitress won't correctly | clean up the connection leading to the main thread attempting to | write to a socket that no longer exists, but not removing it from | the list of sockets to attempt to process. This leads to a busy-loop | calling the write function. A remote attacker could run waitress out | of available sockets with very little resources required. Waitress | 3.0.1 contains fixes that remove the race condition. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-49769 https://www.cve.org/CVERecord?id=CVE-2024-49769 [1] https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1086468 in waitress reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/python-team/packages/waitress/-/commit/14a0d1cb2ce5faeed0c6ab2ed66f2166267944f7 ------------------------------------------------------------------------ Update upstream source from tag 'upstream/3.0.1' Update to upstream version '3.0.1' with Debian dir 325de64d7ca048909e162a3a6b031708f35475fe Closes: #1086467, #1086468 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1086468
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 30 Oct 2024 23:22:09 +0000
Source: waitress
Architecture: source
Version: 3.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1086467 1086468
Changes:
waitress (3.0.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-49768: Fix a race condition in Waitress when
`channel_request_lookahead` is enabled that could lead to HTTP request
smuggling (closes: #1086467).
- CVE-2024-49769: Fix a bug that would lead to Waitress busy looping on
select() on a half-open socket due to a race condition that existed
when creating a new HTTPChannel (closes: #1086468).
Checksums-Sha1:
9869bbe1ad67e6a2769cd8dc12b47ea54014ca9f 2410 waitress_3.0.1-1.dsc
56f5c350cb329058f2ed996f46a6a809d0a8994f 174572 waitress_3.0.1.orig.tar.gz
275cc984f9952d39ae85bfc1638c29e07b83cba6 8164 waitress_3.0.1-1.debian.tar.xz
Checksums-Sha256:
3e5a0500fc3548ba2ab39950c80b8142b53177da5a80a3675feaf6c9a63eaa77 2410 waitress_3.0.1-1.dsc
1580a323734fbf3a95a2ed98e0cb3d3938fa7ef97f1a31897a26bd246ed5a70d 174572 waitress_3.0.1.orig.tar.gz
f6f41b0767fda30ad86b48c109ed46bc3f5180d5fd4bf9fcacb859f290933307 8164 waitress_3.0.1-1.debian.tar.xz
Files:
475cd69ad8088c8b566da718819f28e6 2410 python optional waitress_3.0.1-1.dsc
b70b7601406e1bdb5514108421b9e930 174572 python optional waitress_3.0.1.orig.tar.gz
8d7eb1a8a197a63d4c4e9b704aec24e6 8164 python optional waitress_3.0.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmciwAIACgkQOTWH2X2G
UAtjkQ//TfP4S/CP25Zt+M5rXgqZzCs+F4PqyRG8DfLYG7fTEgd1a3DlBDLdH70R
rO2Ld/wSU7cB+2uYfYi9UTdESbao37IESNNe9KjQM6TEW6hZb6TFoAxPVAj6e3oi
zyNoio4B8LbkDDf4ADM2cM3Ln7OUqYR6Pqx4B3xWBqka3ao6t8v4+zPyAXKhz+Ic
+CwucYe0eR7dNDmQDjK6ICpAa84PJ8w1WAPu1D3QmkMckZ4WnadtC00WZDAiQ29y
FU89RDvnoiMb1Zwqx9BosslShSr0EbrgtAPSpGj1I2qGH3Vb1mjigU8mm/ou1nlB
el+6grDrzx45hhkYlRtpn5WyQT12/MYoYGczf58VHLzBANL3Jd9N+anXl9RhfybM
zhBv5daPjnehkiTBiAo3Bkzvd2JRuSexNKIkhvmogEHvPpTTYxaHo6jGNVdJZryy
pVYuhf6rFWqoeq8Beqxltz/PJTkbO/u2Dl03VfWIj1FY4LusiWZMX9EbpkBboO87
y8ddPPeBwWIklDq7pkiA+9P1jlof8PiXw08DbG4oXYqV1qmwBY1PH5oSZKCxk6Sg
cw17WeOmh6dZdVLRTFZe9PWLI/JyIySaSsb8UGlhBD6XiADyER5FJIkHIr30xhxP
qVYq/D3urgLtt0vrwt3UX62v5ab/XD/PQ0pLaDfag3O2auj636s=
=TiLO
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
waitress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated waitress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 20 Aug 2025 18:31:13 +0300
Source: waitress
Architecture: source
Version: 2.1.2-2+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1086467 1086468
Changes:
waitress (2.1.2-2+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2024-49768: race condition in HTTP pipelining
(Closes: #1086467)
* CVE-2024-49769: DoS due to resource exhaustion
(Closes: #1086468)
Checksums-Sha1:
56bc868af072450c4e4979ac96af4f3af249e564 2299 waitress_2.1.2-2+deb12u1.dsc
f7521481bee6e99b5044da3c77999aa5902c61a7 175032 waitress_2.1.2.orig.tar.gz
9296f71c32a56d86acda6cb4b5e40bd5af40522f 12716 waitress_2.1.2-2+deb12u1.debian.tar.xz
Checksums-Sha256:
c8079d218b87a5f808af7a8f87c05379ce1fe90c33c2125a08c707b0c9f0aa12 2299 waitress_2.1.2-2+deb12u1.dsc
2de9b24b8097c82535aa6f512d9c93096c51affd22cb640342c21761a5b38873 175032 waitress_2.1.2.orig.tar.gz
8c49f2afbc23ff6ecd24f825d45e32e3e3c1a2c155d43487072866cf6bc31bc3 12716 waitress_2.1.2-2+deb12u1.debian.tar.xz
Files:
dc068fe0a135befe86750aa174da6900 2299 python optional waitress_2.1.2-2+deb12u1.dsc
7e638718297970d1d3f37e48f225a082 175032 python optional waitress_2.1.2.orig.tar.gz
ad6ab8215dcda4a2a4cb3e5ed0c43b1f 12716 python optional waitress_2.1.2-2+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmil7ZEACgkQiNJCh6LY
mLHqEA//cMZVI9mDD1eh6rCQ5hTIxNXYMijSQm4wvwtbXBAKluS4whq4qqEv2OEX
8C7LclRuuJH1t/VYyPym1jSRU/opWIDd6paMAss5bvOUhWp8i2aW2VH05Gg4siPJ
xowEGPBbPcs/0wzOadWkmCczRho7lDKT8c5TMDfHmQGFEXcVtIZ6+m/vFhnKt9r5
uKkgza2JlT93l5nN29NGoVGAgBPM1UZW0/hS92GQJvblkJ0SkwATBL1irZKodbaO
JOfIEL0r4ILTs5yD8jGMASXW0+AhHpxILQq2JUb1BGpjFpgkMAxiNxa1ThINd0BB
nBsdRkx5xrNrdX6pdCFvp7TKIZC5sTn1PGcHV4q/MVWGggVZ1re3jAqMsqHG8y6l
NI53Gzos7bwE9noKMMOZIl/CqMTLWFfn8eJTx3Vt/rEGO9Zxz5f6aPAtRRiNjYp+
h4y1MylbyTxBuwTOifku/5Qh2EEzQLRjdYvSBs3tqqGwlNGA/s0P5sn3Ph3Iu34U
8I4EvLu+b8ZSEWUFtwmlVuDwvwOL9XfEb1SSTgXQtSvcD6mrZen9JOdDSE7LbDpi
VYefKaU/xOuRKCMbjWv9EflicYDh+JeM7YoEhEal2wUvJWk0lka8vNLTGl3+b7Cz
7JOb1qc+8nafwBrTII679JPd2pS4vtNhPslA5ki9mKVJ0nb/Q6U=
=hLpA
-----END PGP SIGNATURE-----