Security update for python-gunicorn SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2881-1 Final 1 1 2024-08-12T15:40:08Z current 2024-08-12T15:40:08Z 2024-08-12T15:40:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-gunicorn This update for python-gunicorn fixes the following issues: - CVE-2024-1135: Fixed HTTP Request Smuggling due to improperly validate Transfer-Encoding headers (bsc#1222950) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-BYOS-Azure-2024-2881,Image SLES15-SP3-HPC-BYOS-Azure-2024-2881,Image SLES15-SP3-SAP-BYOS-Azure-2024-2881,Image SLES15-SP3-SAPCAL-Azure-2024-2881,SUSE-2024-2881,SUSE-SLE-Module-Public-Cloud-15-SP2-2024-2881,SUSE-SLE-Module-Public-Cloud-15-SP3-2024-2881,SUSE-SLE-Module-Public-Cloud-15-SP4-2024-2881,SUSE-SLE-Module-Public-Cloud-15-SP5-2024-2881,SUSE-SLE-Module-Public-Cloud-15-SP6-2024-2881,openSUSE-SLE-15.5-2024-2881 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242881-1/ Link for SUSE-SU-2024:2881-1 https://lists.suse.com/pipermail/sle-updates/2024-August/036409.html E-Mail link for SUSE-SU-2024:2881-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1222950 SUSE Bug 1222950 https://www.suse.com/security/cve/CVE-2024-1135/ SUSE CVE CVE-2024-1135 page Image SLES15-SP3-BYOS-Azure Image SLES15-SP3-HPC-BYOS-Azure Image SLES15-SP3-SAP-BYOS-Azure Image SLES15-SP3-SAPCAL-Azure SUSE Linux Enterprise Module for Public Cloud 15 SP2 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP4 SUSE Linux Enterprise Module for Public Cloud 15 SP5 SUSE Linux Enterprise Module for Public Cloud 15 SP6 openSUSE Leap 15.5 python3-gunicorn-19.7.1-150000.3.7.1 python-gunicorn-doc-19.7.1-150000.3.7.1 python3-gunicorn-19.7.1-150000.3.7.1 as a component of Image SLES15-SP3-BYOS-Azure python3-gunicorn-19.7.1-150000.3.7.1 as a component of Image SLES15-SP3-HPC-BYOS-Azure python3-gunicorn-19.7.1-150000.3.7.1 as a component of Image SLES15-SP3-SAP-BYOS-Azure python3-gunicorn-19.7.1-150000.3.7.1 as a component of Image SLES15-SP3-SAPCAL-Azure python3-gunicorn-19.7.1-150000.3.7.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP2 python3-gunicorn-19.7.1-150000.3.7.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP3 python3-gunicorn-19.7.1-150000.3.7.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP4 python3-gunicorn-19.7.1-150000.3.7.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP5 python3-gunicorn-19.7.1-150000.3.7.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP6 python-gunicorn-doc-19.7.1-150000.3.7.1 as a component of openSUSE Leap 15.5 python3-gunicorn-19.7.1-150000.3.7.1 as a component of openSUSE Leap 15.5 Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure. CVE-2024-1135 Image SLES15-SP3-BYOS-Azure:python3-gunicorn-19.7.1-150000.3.7.1 Image SLES15-SP3-HPC-BYOS-Azure:python3-gunicorn-19.7.1-150000.3.7.1 Image SLES15-SP3-SAP-BYOS-Azure:python3-gunicorn-19.7.1-150000.3.7.1 Image SLES15-SP3-SAPCAL-Azure:python3-gunicorn-19.7.1-150000.3.7.1 SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-gunicorn-19.7.1-150000.3.7.1 SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-gunicorn-19.7.1-150000.3.7.1 SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-gunicorn-19.7.1-150000.3.7.1 SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-gunicorn-19.7.1-150000.3.7.1 SUSE Linux Enterprise Module for Public Cloud 15 SP6:python3-gunicorn-19.7.1-150000.3.7.1 openSUSE Leap 15.5:python-gunicorn-doc-19.7.1-150000.3.7.1 openSUSE Leap 15.5:python3-gunicorn-19.7.1-150000.3.7.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242881-1/ https://www.suse.com/security/cve/CVE-2024-1135.html CVE-2024-1135 https://bugzilla.suse.com/1222950 SUSE Bug 1222950