Waitress 1.4.2 security announcement

Please upgrade your Waitress from 1.4.2 to 1.4.3

Pylons Project released a new version of Waitress to fix a bug in the regular expression that was used to parse the HTTP headers.

The bug would allow for catastrophic backtracking which would cause the waitress process to spend 100% CPU time in attempting to match the regular expression.

As Plone 5.2.1 uses Waitress 1.4.2, it is recommended to pin it to version 1.4.3 on your buildout file

[versions]
waitress = 1.4.3
3 Likes

Is the Waitress update tested with Plone(Zope)? It should be no problem, as it is only a bugfix, is it?

Anyway, I will of course deploy it in my development and staging environment first.

Running on onkopedia.com in production since this morning.

2 Likes

Plone Foundation Code of Conduct