View at Official suse advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2019-16786 severity important: SUSE including 298 source package names (1.1.1.0.1.5.334:python3-waitress-1.4.3-3.3.1, 1.2.0.0.1.5.338:python3-waitress-1.4.3-3.3.1, …), 542 product×package rows across 38 product lines (Container ses/6/cephcsi/cephcsi, Container ses/6/rook/ceph, … (38 product lines)): Fixed 542.
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.