package/python-waitress: security bump to 3.0.2
Both 3.0.1 and 3.0.2 fix security issues.
In 3.0.1:
* Fix a bug that would lead to Waitress busy looping on select() on a
half-open socket due to a race condition that existed when creating a
new HTTPChannel. See https://github.com/Pylons/waitress/pull/435,
https://github.com/Pylons/waitress/issues/418 and
https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
* With thanks to Dylan Jay and Dieter Maurer for their extensive
debugging and helping track this down.
* No longer strip the header values before passing them to the WSGI
environ. See https://github.com/Pylons/waitress/pull/434 and
https://github.com/Pylons/waitress/issues/432
* Fix a race condition in Waitress when channel_request_lookahead is
enabled that could lead to HTTP request smuggling.
See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
In 3.0.2:
* When using Waitress to process trusted proxy headers, Waitress will
now update the headers to drop any untrusted values, thereby making sure
that WSGI apps only get trusted and validated values that Waitress
itself used to update the environ. See
https://github.com/Pylons/waitress/pull/452 and
https://github.com/Pylons/waitress/issues/451
Full Changelog:
https://docs.pylonsproject.org/projects/waitress/en/latest/#change-history
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Marcus Hoffmann