HSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

zeddyu.info/2019/12/08/HTTP-Smuggling-en/ - Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. - Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

SA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 - Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. - Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

SA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 - Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. - Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

HSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

HSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

SA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 - Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. - Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

SA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating as

https://github.com/Pylons/waitress/pull/187 ### 9.2 Bugfixes • Waitress will no longer send Transfer-Encoding or Content-Length for 1xx, 204, or 304 responses, and will completely ignore any message body as per RFC 2616. See https://github.com/Pylons/waitress/pull/44 • When waitress receives a Transfer-Encoding: chunked request, we no longer send the TRANSFER_ENCODING nor the HTTP_TRANSFER_ENCODING value request is a non-chunked request with an accurate content-length. • Cope with the fact that the Transfer-Encoding value is case-insensitive. • When the --unix-socket-perms option was used as an argument to

as per RFC 2616. See https://github.com/Pylons/waitress/pull/44 - When waitress receives a Transfer-Encoding: chunked request, we no longer send the TRANSFER_ENCODING nor the HTTP_TRANSFER_ENCODING value request is a non-chunked request with an accurate content-length. • Cope with the fact that the Transfer-Encoding value is case-insensitive. - When the --unix-socket-perm option was used as an argument to console by default). - Disallow WSGI applications to set “hop-by-hop” headers (Connection, Transfer-Encoding, etc). • Don’t treat 304 status responses specially in HTTP/1.1 mode. • Remove out of date