-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Architecture: source Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Stefano Rivera <stefanor@debian.org> Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 56431e8271a6e27ed388e268e3a3dea4a2595359 3007 twisted_18.9.0-3+deb10u1.dsc 9aa93aca05accd5a6d4afb6b91dc97716ddad6dc 52252 twisted_18.9.0-3+deb10u1.debian.tar.xz 1f1e0057d4a1b29109ad5ae90eb056492081545f 6846 twisted_18.9.0-3+deb10u1_source.buildinfo Checksums-Sha256: cfcdc1a6ff8c46407ba2c355db16b39e085391d1775f956401dae4b51844be5b 3007 twisted_18.9.0-3+deb10u1.dsc d8f9a768dc53473d396886ac967d3fb68493400da59d2efe02c52cad51be0602 52252 twisted_18.9.0-3+deb10u1.debian.tar.xz 8bf49e7d9d828f4497709e16a810849a7b3ab7cf2e9d2e9eb5fb935b632ac743 6846 twisted_18.9.0-3+deb10u1_source.buildinfo Files: 9dfbe388fe5d053cff86d6a3e7097c5a 3007 python optional twisted_18.9.0-3+deb10u1.dsc 25f4eda139fdec27d83d444403e477fd 52252 python optional twisted_18.9.0-3+deb10u1.debian.tar.xz 734d9e7dfc1449d6fa5249480d12dc67 6846 python optional twisted_18.9.0-3+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYnPfnhQcc3RlZmFub3JA ZGViaWFuLm9yZwAKCRBHew2wJjpU2FHcAQCJCu9tAq0kJFuOegDI0GmqXFrccYA8 MfejCidFeGW/NQEAoNeraZZopzmfWuy0NJH87yLpM3iqjUZuol2gHFMX6AM= =gtAt -----END PGP SIGNATURE-----