The fix backports have been proposed but are not yet merged on stable/victoria, stable/ussuri, and stable/train.
This issue is considered to be of "moderate" severity and is a result of a publicly reported behavior in the python standard library [1] and the http.server documentation has a warning on it that states, "Warning http.server is not recommended for production. It only implements basic security checks." [2].
Our dependency however, the websockify server [3], is based upon http.server and AFAIK websockify isn't characterized as only for dev or non-production use.
There is currently a pull request proposed to fix [1] and it is currently under review [4].
Based on this, I tend to think to treat it as hardening, but of course I defer to the expert opinion of the VMT.
The fix backports have been proposed but are not yet merged on stable/victoria, stable/ussuri, and stable/train.
This issue is considered to be of "moderate" severity and is a result of a publicly reported behavior in the python standard library [1] and the http.server documentation has a warning on it that states, "Warning http.server is not recommended for production. It only implements basic security checks." [2].
Our dependency however, the websockify server [3], is based upon http.server and AFAIK websockify isn't characterized as only for dev or non-production use.
There is currently a pull request proposed to fix [1] and it is currently under review [4].
Based on this, I tend to think to treat it as hardening, but of course I defer to the expert opinion of the VMT.
[1] https:/ /bugs.python. org/issue43223 /docs.python. org/3/library/ http.server. html /github. com/novnc/ websockify /github. com/python/ cpython/ pull/24848
[2] https:/
[3] https:/
[4] https:/