CVE-2024-49769
Publication date 29 October 2024
Last updated 19 November 2024
Ubuntu priority
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| waitress | 24.10 oracular |
Fixed 3.0.0-1ubuntu0.1
|
| 24.04 LTS noble |
Fixed 2.1.2-2ubuntu0.1~esm1
|
|
| 22.04 LTS jammy |
Fixed 1.4.4-1.1ubuntu1.1
|
|
| 20.04 LTS focal |
Fixed 1.4.1-1ubuntu0.2
|
|
| 18.04 LTS bionic | Ignored fix would unavoidably negatively impact other packages | |
| 16.04 LTS xenial | Ignored fix would unavoidably negatively impact other packages |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
hlibk
On bionic and earlier, asyncore was not bundled within waitress. Fixing these versions could break other packages that rely on asyncore.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7115-1
- Waitress vulnerabilities
- 19 November 2024