CVE-2019-16785

Waitress through version 1.3.1 implemented a “MAY” part of the RFC7230
which states: “Although the line terminator for the start-line and header
fields is the sequence CRLF, a recipient MAY recognize a single LF as a
line terminator and ignore any preceding CR.” Unfortunately if a front-end
server does not parse header fields with an LF the same way as it does
those with a CRLF it can lead to the front-end and the back-end server
parsing the same HTTP message in two different ways. This can lead to a
potential for HTTP request smuggling/splitting whereby Waitress may see two
requests while the front-end server only sees a single HTTP message. This
issue is fixed in Waitress 1.4.0.

Bugs

• <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306&gt;