[SECURITY] [DLA 1357-1] gunicorn security update

2018-04-2208:57:33

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.5

Confidence

High

EPSS

0.005

Percentile

76.2%

JSON

Package : gunicorn
Version : 0.14.5-3+deb7u2
CVE ID : CVE-2018-1000164
Debian Bug : #896548

It was discovered that there was an issue in the gunicorn HTTP server for
Python applicatons where CRLF sequences could result in an attacker tricking
the server into returning arbitrary headers.

For more information and background, please see:

https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5

For Debian 7 "Wheezy", this issue has been fixed in gunicorn version
0.14.5-3+deb7u2.

We recommend that you upgrade your gunicorn packages.

Regards,

  ,&#x27;&#x27;`.
 : :&#x27;  :     Chris Lamb
 `. `&#x27;`      [email protected] / chris-lamb.co.uk
   `-

OSVersionArchitecturePackageVersionFilename
Debian7allgunicorn< 0.14.5-3+deb7u2gunicorn_0.14.5-3+deb7u2_all.deb
Debian8allgunicorn< 19.0-1+deb8u1gunicorn_19.0-1+deb8u1_all.deb