-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 09:59:26 -0400 Source: twisted Architecture: source Version: 20.3.0-7+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Stefano Rivera <stefanor@debian.org> Changes: twisted (20.3.0-7+deb11u1) bullseye; urgency=medium . * Team upload. * CVE-2022-21712: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - Thanks Canonical for backporting the patches. * CVE-2022-21716: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - Thanks Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: b953fbeb230b136eec8d4991b47d9af01fc83894 1965 twisted_20.3.0-7+deb11u1.dsc 57921a411ec3276d3ad929af13a0f7ce8a25372b 43572 twisted_20.3.0-7+deb11u1.debian.tar.xz e5c189d8c0a509d650a263ba784a9a20bd5d2e6c 6545 twisted_20.3.0-7+deb11u1_source.buildinfo Checksums-Sha256: c0a73d67c2c30749b7d5aabbcd58037a6ed26414d0b570215de5f0e8c732ce19 1965 twisted_20.3.0-7+deb11u1.dsc 60f42ddde10c7e8f01b32254579e78d254a53a8ef77b42fe76eb562a0bd6a4aa 43572 twisted_20.3.0-7+deb11u1.debian.tar.xz 59b2ae2d809dc5a1bdb85ca832b23cb20c7d49ebd6f6d9beeb600022dd1637c0 6545 twisted_20.3.0-7+deb11u1_source.buildinfo Files: a32632d50a6a6bb6514e2fde1698e70b 1965 python optional twisted_20.3.0-7+deb11u1.dsc ab9da6d93ae431fc8b0b4c06dbeca196 43572 python optional twisted_20.3.0-7+deb11u1.debian.tar.xz 97fad520f87f79c74e1016eede16eeeb 6545 python optional twisted_20.3.0-7+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYnPchRQcc3RlZmFub3JA ZGViaWFuLm9yZwAKCRBHew2wJjpU2Pt9AQC4qbmHzaI/nRwJcwoWvhaxH+3MtTIL oOiQCR80sbENhwD/SzuWTE3rYUqa5o+SFNH3MGsiEyCakOQIdOhpJAtDlAQ= =iXw5 -----END PGP SIGNATURE-----