CVE-2024-49769

Publication date 29 October 2024

Last updated 30 October 2024

Ubuntu priority

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
waitress	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-49769
https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
https://github.com/Pylons/waitress/issues/418
https://github.com/Pylons/waitress/pull/435
https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c