OESA-2025-1436

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1436
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-1436.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-1436
Upstream
Published
2025-04-18T13:49:56Z
Modified
2025-08-12T05:46:26.980870Z
Summary
python-waitress security update
Details

Waitress is meant to be a production-quality pure-Python WSGI server with very acceptable performance. It has no dependencies except ones which live in the Python standard library. It runs on CPython on Unix and Windows under Python 2.7+ and Python 3.5+. It is also known to run on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1.

Security Fix(es):

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.(CVE-2024-49769)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4 / python-waitress

Package

Name
python-waitress
Purl
pkg:rpm/openEuler/python-waitress&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.4-1.oe2003sp4

Ecosystem specific

{
    "noarch": [
        "python2-waitress-1.4.4-1.oe2003sp4.noarch.rpm",
        "python3-waitress-1.4.4-1.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "python-waitress-1.4.4-1.oe2003sp4.src.rpm"
    ]
}