Change log for waitress package in Debian
| 1 → 28 of 28 results | First • Previous • Next • Last |
waitress (3.0.0-1) unstable; urgency=medium
* Team upload.
* d/watch: Add compression=gz
* New upstream version 3.0.0
* Rebuild patch queue from patch-queue branch
Adjusted patch:
docs-Don-t-try-to-detect-the-version-don-t-use-Pylons-the.patch
* d/control: Bump Standards-Version to 4.7.0
No further changes needed.
* d/rules: Add target override_dh_clean
* d/{control,rules}: Move over to use dh-sequence-sphinxdoc
* d/control: Update binary package long description
* d/u/metadata: Add FAQ and Security-Contact fields
-- Carsten Schoenert <email address hidden> Fri, 10 May 2024 17:50:49 +0200
Available diffs
- diff from 2.1.2-2 to 3.0.0-1 (14.5 KiB)
waitress (2.1.2-2) unstable; urgency=medium * Team Upload. * autopkgtest: Update control file for successful testing -- Carsten Schoenert <email address hidden> Mon, 14 Nov 2022 17:15:51 +0100
Available diffs
waitress (2.1.2-1) unstable; urgency=medium
* Team Upload.
* d/gbp.conf: Add a basic default configuration
* d/README.source: Add basic information about package
* d/README.Debian: Drop that file
* d/watch: Update watch mode to look out git tags
* New upstream version 2.1.2
Resolves CVE-2022-31015 (Closes: #1012315)
* Rebuild patch queue from patch-queue branch
Added patch:
docs-Use-internal-ressources-for-intersphinx.patch
Renamed patch:
01-fix-sphinxdoc-conf.patch
-> docs-Don-t-try-to-detect-the-version-don-t-use-Pylons-the.patch
* d/control: Remove Built-Using ${sphinxdoc:Built-Using}
The -doc package isn't from type arch all.
* d/control: Add python3-doc to Build-Depends
That is used for intersphinx integration in the -doc package.
* d/{control,rules}: Move over to dh-sequence-python3
* documentation: Build HTML documentation by dh_sphinxdoc
* autopkgtest: Small adjustment to testing call
-- Carsten Schoenert <email address hidden> Sat, 12 Nov 2022 21:14:43 +0100
waitress (2.1.1-3) unstable; urgency=medium * Team Upload. * Remove space in DH_OPTIONS causing FTBFS (Closes: #1020065) * Bump Standards-Version to 4.6.1 (no changes needed) * Fix globbing pattern * Remove public-domain license for debian/* -- Nilesh Patra <email address hidden> Sat, 01 Oct 2022 14:58:24 +0530
| Published in buster-release |
waitress (1.2.0~b2-2+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
* Security updates to fix request smuggling bugs, when combined with another
http proxy that interprets requests differently. This can lead to a
potential for HTTP request smuggling/splitting whereby Waitress may see
two requests while the front-end server only sees a single HTTP message.
This can result in cache poisoning or unexpected information disclosure.
The specific issues resolved are:
- CVE-2019-16785: Only recognise CRLF as a line-terminator, not a plain
LF. Before this change waitress could see two requests where the
front-end proxy only saw one.
- CVE-2019-16786: Waitress would parse the Transfer-Encoding header and
only look for a single string value, if that value was not "chunked" it
would fall through and use the Content-Length header instead.
This could allow for Waitress to treat a single request as multiple
requests in the case of HTTP pipelining.
- CVE-2019-16789: Specially crafted requests containing special whitespace
characters in the Transfer-Encoding header would get parsed by Waitress
as being a chunked request, but a front-end server would use the
Content-Length instead as the Transfer-Encoding header is considered
invalid due to containing invalid characters.
If a front-end server does HTTP pipelining to a backend Waitress server
this could lead to HTTP request splitting which may lead to potential
cache poisoning or unexpected information disclosure.
- CVE-2019-16792: If two Content-Length headers are sent in a single
request, Waitress would treat the request as having no body, thereby
treating the body of the request as a new request in HTTP pipelining.
- CVE-2022-24761: There are two classes of vulnerability that may lead to
request smuggling that are addressed by this advisory:
+ The use of Python's int() to parse strings into integers, leading to
+10 to be parsed as 10, or 0x01 to be parsed as 1, where as the
standard specifies that the string should contain only digits or hex
digits.
+ Waitress does not support chunk extensions, however it was discarding
them without validating that they did not contain illegal characters.
(Closes: #1008013)
-- Stefano Rivera <email address hidden> Wed, 11 May 2022 22:42:07 -0400
| Published in bullseye-release |
waitress (1.4.4-1.1+deb11u1) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
* Security update, resolving a request smuggling vulnerability:
When using previous Waitress versions behind a proxy that does not
properly validate the incoming HTTP request matches the RFC7230 standard,
Waitress and the frontend proxy may disagree on where one request starts
and where it ends. This would allow requests to be smuggled via the
front-end proxy to waitress and later behavior.
CVE-2022-24761 (Closes: #1008013)
-- Stefano Rivera <email address hidden> Tue, 10 May 2022 17:14:39 -0400
waitress (2.1.1-2) unstable; urgency=medium
* Team upload.
* Build-Depend and autopkgtest Depend on netbase, for services resolution in
tests.
-- Stefano Rivera <email address hidden> Tue, 10 May 2022 08:31:41 -0400
Available diffs
waitress (2.1.1-1) unstable; urgency=medium
[ Stefano Rivera ]
* Team upload.
* New upstream release.
- Resolves CVE-2022-24761 (Closes: #1008013)
* Build with pybuild's pyproject plugin.
* Run test suite at build time.
* Run test suite in autopkgtests.
* Bump Standards-Version to 4.6.0, no changes needed.
* Bump watch file version to 4.
* Update 01-fix-sphinxdoc-conf.patch to determine the upstream version from
the Debian changelog.
* Revert the -D html_last_updated_fmt approach to get sphinx to produce
reproducible docs, it supports SOURCE_DATE_EPOCH, these days.
[ Debian Janitor ]
* Bump debhelper from old 12 to 13.
* Update standards version to 4.5.1, no changes needed.
* Remove constraints unnecessary since buster:
+ Build-Depends: Drop versioned constraint on python3-all and
python3-setuptools.
-- Stefano Rivera <email address hidden> Mon, 09 May 2022 20:51:31 -0400
waitress (1.4.4-1.1) unstable; urgency=medium * Non-maintainer upload. * Fix cleanup of the waitress-serve alternative. (Closes: #984630) -- Andreas Beckmann <email address hidden> Tue, 20 Apr 2021 20:58:53 +0200
Available diffs
- diff from 1.4.4-1 to 1.4.4-1.1 (450 bytes)
waitress (1.4.4-1) unstable; urgency=medium
[ Andrej Shadura ]
* New upstream release.
[ Michael Fladischer ]
* Provide virtual package httpd-wsgi3.
[ Debian Janitor ]
* Replace spaces in short license names with dashes.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
* Update standards version to 4.5.0, no changes needed.
* Apply multi-arch hints.
+ python-waitress-doc: Add Multi-Arch: foreign.
[ Ondřej Nový ]
* d/control: Update Maintainer field with new Debian Python Team
contact address.
* d/control: Update Vcs-* fields with new Debian Python Team Salsa
layout.
-- Andrej Shadura <email address hidden> Sat, 09 Jan 2021 10:16:20 +0100
Available diffs
- diff from 1.4.1-1 to 1.4.4-1 (182.7 KiB)
waitress (1.4.1-1) unstable; urgency=medium
* New upstream release.
- Closes: #947306:
CVE-2019-16785: potential HTTP request smuggling/splitting
due to differences in endline parsing.
CVE-2019-16786: incorrect treatment of single requests as
multiple requests in the case of HTTP pipelining due to
the incorrect parsing of Transfer-Encoding ignoring all but
the first comma-separated header value.
- Closes: #947433:
CVE-2019-16789: potential HTTP request splitting leading
to potential cache poisoning or unexpected information
disclosure due to incorrect parsing of special whitespace
characters in the Transfer-Encoding header.
* Refresh the documentation configuration patch.
* Set Rules-Requires-Root: no
* Bump Standards-Version to 4.4.1, no changes.
* Replace dh_auto_install override with --shebang.
* Update debian/copyright.
* Use ${sphinxdoc:Built-Using}.
-- Andrej Shadura <email address hidden> Wed, 01 Jan 2020 14:04:40 +0100
Available diffs
- diff from 1.3.1-4 to 1.4.1-1 (90.5 KiB)
waitress (1.3.1-4) unstable; urgency=medium * Revert the documentation package rename. * Revert the reversion of the Python 3 removal. * Remove alternatives on preinst. * Install waitress-serve into /usr/bin directly. -- Andrej Shadura <email address hidden> Thu, 12 Sep 2019 21:38:15 +0200
Available diffs
- diff from 1.2.0~b2-2 to 1.3.1-4 (33.3 KiB)
waitress (1.3.1-3) unstable; urgency=medium * Revert the Python 3 removal. * Try to remove alternatives, don’t fail if we can’t. -- Andrej Shadura <email address hidden> Thu, 12 Sep 2019 21:07:45 +0200
waitress (1.2.0~b2-2) unstable; urgency=medium * Unbreak docco build (Closes: #918669). -- Andrej Shadura <email address hidden> Tue, 08 Jan 2019 15:54:08 +0100
Available diffs
- diff from 1.1.0-1 to 1.2.0~b2-2 (58.3 KiB)
- diff from 1.2.0~b2-1 to 1.2.0~b2-2 (642 bytes)
| Superseded in sid-release |
waitress (1.2.0~b2-1) unstable; urgency=medium [ Ondřej Nový ] * d/copyright: Use https protocol in Format field. * d/control: Add Vcs-* field. [ Andrej Shadura ] * New upstream release. -- Andrej Shadura <email address hidden> Mon, 07 Jan 2019 18:26:54 +0100
waitress (1.1.0-1) unstable; urgency=medium * New upstream release. * Enable autopkgtests. * Add Vcs-*. -- Andrej Shadura <email address hidden> Sun, 13 May 2018 10:12:31 +0200
Available diffs
- diff from 1.0.1-1 to 1.1.0-1 (4.8 KiB)
waitress (1.0.1-1) unstable; urgency=medium * New upstream release. * Update package descriptions. * Build-Depend on Python 2.7+/3.3+. -- Andrew Shadura <email address hidden> Tue, 13 Dec 2016 14:34:36 +0100
Available diffs
- diff from 0.8.10-1 to 1.0.1-1 (20.7 KiB)
waitress (0.8.10-1) unstable; urgency=medium [ Juan Picca ] * Make the build reproducible (Closes: #788597). [ Andrew Shadura ] * New upstream release. -- Andrew Shadura <email address hidden> Sat, 26 Dec 2015 14:44:28 +0100
Available diffs
waitress (0.8.9-2) unstable; urgency=medium * Fix FTBFS (Closes: #765126). -- Andrew Shadura <email address hidden> Mon, 13 Oct 2014 21:56:21 +0200
Available diffs
- diff from 0.8.8-3 to 0.8.9-2 (7.7 KiB)
waitress (0.8.9-1) unstable; urgency=medium * New upstream release. -- Andrew Shadura <email address hidden> Wed, 08 Oct 2014 15:58:50 +0200
waitress (0.8.8-3) unstable; urgency=low * Build against python3.4. * Fix shebangs in waitress-serve scripts. -- Andrew Shadura <email address hidden> Thu, 24 Apr 2014 08:12:29 +0200
Available diffs
waitress (0.8.8-1) unstable; urgency=low * New upstream release. -- Andrew Shadura <email address hidden> Sat, 14 Dec 2013 20:55:11 +0100
waitress (0.8.7-3) unstable; urgency=low
* Switch to using dh-python instead of versioned depends
on python3 (Closes: #731532).
-- Andrew Shadura <email address hidden> Sat, 14 Dec 2013 17:53:03 +0100
waitress (0.8.7-2) unstable; urgency=low
* Update the watch file.
* Use alternatives to ensure co-installability of python2 and python3
versions (Closes: #725260).
-- Andrew Shadura <email address hidden> Thu, 03 Oct 2013 15:44:25 +0200
Available diffs
- diff from 0.8.1-1~python2 to 0.8.7-2 (47.7 KiB)
waitress (0.8.7-1) unstable; urgency=low * New upstream version. -- Andrew Shadura <email address hidden> Wed, 02 Oct 2013 20:49:35 +0200
waitress (0.8.1-2) unstable; urgency=low * Upload to unstable. * Remove erroneous patch. -- Andrew Shadura <email address hidden> Sat, 13 Apr 2013 15:25:34 +0200
waitress (0.8.1-1~python2) unstable; urgency=low * Initial release (Python2-only build). -- Andrew Shadura <email address hidden> Thu, 09 May 2013 15:36:13 +0200
| Deleted in experimental-release (Reason: None provided.) |
waitress (0.8.1-1) experimental; urgency=low * Initial release. -- Andrew Shadura <email address hidden> Thu, 21 Mar 2013 21:02:04 +0100
| 1 → 28 of 28 results | First • Previous • Next • Last |
