Debian 10241 Published by

Updated gunicorn packages has been released for Debian GNU/Linux 7 LTS



Package : gunicorn
Version : 0.14.5-3+deb7u2
CVE ID : CVE-2018-1000164
Debian Bug : #896548

It was discovered that there was an issue in the gunicorn HTTP server for
Python applicatons where CRLF sequences could result in an attacker tricking
the server into returning arbitrary headers.

For more information and background, please see:

https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5

For Debian 7 "Wheezy", this issue has been fixed in gunicorn version
0.14.5-3+deb7u2.

We recommend that you upgrade your gunicorn packages.
  Gunicorn Security Update for Debian 7