------------------------------------------------------------------------- Debian LTS Advisory DLA-3851-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany June 30, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : gunicorn Version : 19.9.0-1+deb10u1 CVE ID : CVE-2024-1135 Debian Bug : 1069126 Gunicorn, an event-based HTTP/WSGI server, fails to properly validate Transfer- Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn’s handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure. For Debian 10 buster, this problem has been fixed in version 19.9.0-1+deb10u1. We recommend that you upgrade your gunicorn packages. For the detailed security status of gunicorn please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gunicorn Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part