chore(deps): update dependency waitress to v3.0.1 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
waitress (changelog)	==3.0.0 -> ==3.0.1

GitHub Vulnerability Alerts

CVE-2024-49769

Impact

When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function.

A remote attacker could run waitress out of available sockets with very little resources required.

Patches

Waitress 3.0.1 contains fixes that remove the race condition.

Workarounds

No work-around.

References

• https://github.com/Pylons/waitress/issues/418
• https://github.com/Pylons/waitress/pull/435

CVE-2024-49768

Impact

A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining.

When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection.

However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed.

Patches

Waitress 3.0.1 fixes the race condition.

Workarounds

Disable channel_request_lookahead, this is set to 0 by default disabling this feature. For this vulnerability this value is required to be changed from the default.

For more information

If you have any questions or comments about this advisory:

• Open an issue in https://github.com/Pylons/waitress/issues (if not sensitive or security related)
• email the Pylons Security mailing list: [email protected] (if security related)

Thanks

• m4yfly and urn1ce From TianGong Team of Legendsec at Qi'anxin Group.

---

Release Notes

Pylons/waitress (waitress)

v3.0.1

Compare Source

Security

- Fix a bug that would lead to Waitress busy looping on select() on a half-open
  socket due to a race condition that existed when creating a new HTTPChannel.
  See https://github.com/Pylons/waitress/pull/435,
  https://github.com/Pylons/waitress/issues/418 and
  https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6

  With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and
  helping track this down.

- No longer strip the header values before passing them to the WSGI environ.
  See https://github.com/Pylons/waitress/pull/434 and
  https://github.com/Pylons/waitress/issues/432

- Fix a race condition in Waitress when `channel_request_lookahead` is enabled
  that could lead to HTTP request smuggling.

  See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.