An update for python-waitress is now available for openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2376 Final 1.0 1.0 2024-11-08 Initial 2024-11-08 2024-11-08 openEuler SA Tool V1.0 2024-11-08 python-waitress security update An update for python-waitress is now available for openEuler-22.03-LTS-SP1 Waitress is meant to be a production-quality pure-Python WSGI server with very acceptable performance. It has no dependencies except ones which live in the Python standard library. It runs on CPython on Unix and Windows under Python 2.7+ and Python 3.5+. It is also known to run on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1. Security Fix(es): (CVE-2024-49769) An update for python-waitress is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP1/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.09. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-waitress https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2376 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-49769 https://nvd.nist.gov/vuln/detail/CVE-2024-49769 openEuler-22.03-LTS-SP1 python3-waitress-2.0.0-5.oe2203sp1.noarch.rpm python-waitress-2.0.0-5.oe2203sp1.src.rpm Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition. 2024-11-08 CVE-2024-49769 openEuler-22.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H python-waitress security update 2024-11-08 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2376