Описание
Security update for python-gunicorn
This update for python-gunicorn fixes the following issues:
- CVE-2024-1135: Fixed HTTP Request Smuggling (bsc#1222950)
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
python311-gunicorn-20.1.0-150400.12.6.1
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
python311-gunicorn-20.1.0-150400.12.6.1
SUSE Linux Enterprise Module for Python 3 15 SP5
python311-gunicorn-20.1.0-150400.12.6.1
SUSE Linux Enterprise Server 15 SP4-LTSS
python311-gunicorn-20.1.0-150400.12.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4
python311-gunicorn-20.1.0-150400.12.6.1
openSUSE Leap 15.5
python311-gunicorn-20.1.0-150400.12.6.1
Ссылки
- Link for SUSE-SU-2024:1440-1
- E-Mail link for SUSE-SU-2024:1440-1
- SUSE Security Ratings
- SUSE Bug 1222950
- SUSE CVE CVE-2024-1135 page
Описание
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-gunicorn-20.1.0-150400.12.6.1
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-gunicorn-20.1.0-150400.12.6.1
SUSE Linux Enterprise Module for Python 3 15 SP5:python311-gunicorn-20.1.0-150400.12.6.1
SUSE Linux Enterprise Server 15 SP4-LTSS:python311-gunicorn-20.1.0-150400.12.6.1
Ссылки
- CVE-2024-1135
- SUSE Bug 1222950