Waitress 1.4.2 security announcement

ericof · February 3, 2020, 10:31am

Please upgrade your Waitress from 1.4.2 to 1.4.3

Pylons Project released a new version of Waitress to fix a bug in the regular expression that was used to parse the HTTP headers.

The bug would allow for catastrophic backtracking which would cause the waitress process to spend 100% CPU time in attempting to match the regular expression.

As Plone 5.2.1 uses Waitress 1.4.2, it is recommended to pin it to version 1.4.3 on your buildout file

[versions]
waitress = 1.4.3

jugmac00 · February 3, 2020, 1:14pm

Is the Waitress update tested with Plone(Zope)? It should be no problem, as it is only a bugfix, is it?

Anyway, I will of course deploy it in my development and staging environment first.

zopyx · February 3, 2020, 1:54pm

Running on onkopedia.com in production since this morning.