-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 27 Nov 2024 20:11:39 +0100 Source: twisted Architecture: source Version: 20.3.0-7+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Closes: 1023359 1054913 1077679 1077680 Changes: twisted (20.3.0-7+deb11u2) bullseye-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2022-39348: When the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. (Closes: #1023359) * CVE-2023-46137: When sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. (Closes: #1054913) * CVE-2024-41671: The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. (Closes: #1077679) * CVE-2024-41810: The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. (Closes: #1077680) * Test suite: fix TCP "Too many open files" errors. * Test suite: fix SSL "key too small" errors. * Test suite: fix SSL "wrong version number" errors. * Test suite: fix SSL ellipticCurveDiffieHellman test. * Test suite: add salsa-ci.yml and configure to bullseye-lts. * python3-twisted.lintian-overrides: fix rules. Checksums-Sha1: 60a6e646d686895eb1b805d8b32d5ee9353c444b 2542 twisted_20.3.0-7+deb11u2.dsc 915f782b902aca3ea5547ef333089961101e0871 3127793 twisted_20.3.0.orig.tar.bz2 3b4ef6a96a3c28fcfbffb1a81d3b28dde923345a 50916 twisted_20.3.0-7+deb11u2.debian.tar.xz 02106a82eab9b73dd194b5ea846a296b8d73e012 8508 twisted_20.3.0-7+deb11u2_all.buildinfo Checksums-Sha256: 675382216a7123e1af413be6c0a9820ce92d7adc31569068552352332147674d 2542 twisted_20.3.0-7+deb11u2.dsc d72c55b5d56e176563b91d11952d13b01af8725c623e498db5507b6614fc1e10 3127793 twisted_20.3.0.orig.tar.bz2 3860fc89186a94fae5209feb86115d3b907d9ff1941fb8ceb089d71fa35ff183 50916 twisted_20.3.0-7+deb11u2.debian.tar.xz 3fb33579910777579d37149885b199472cb80cb474ea724ef02440a74b99fc5f 8508 twisted_20.3.0-7+deb11u2_all.buildinfo Files: a47af9f5b8237b91e15e6590fba84584 2542 python optional twisted_20.3.0-7+deb11u2.dsc fc16d575730db7d0cddd09fc35af3eea 3127793 python optional twisted_20.3.0.orig.tar.bz2 115ffaca06049dadb70c7993c9cbc64e 50916 python optional twisted_20.3.0-7+deb11u2.debian.tar.xz 0a8f9cb9d13720209a9900cb92ad5187 8508 python optional twisted_20.3.0-7+deb11u2_all.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmdISa0ACgkQDTl9HeUl XjCLoRAAiz8SwYTKuiVnm81no/Y/ckignUxXYjHeBXL+ArB4yL3IDo8CMJwog0xv FfcW5TQXLh9nbcbrN0C8kvY1/mprlWtrsxajBMTi8rtClpIB+7tSc8GeV9wQL35M qSY6Lxn+IrGbnUxWMy5/4gA8wwnraYJU8wmhIq1uDPYNotsD/qVwbygadBgW8LRM lekpSWY/+O1zeGQlhYO/33/LM93lL01NXYai3USs2OTJgnimwKq1x1g0fGhO7ESE YJBArBygIdEJfhkiiW7TX92W7tKsh1Aj5yl/cstF6tTGCovu8XDpwb2gInV4M8lg WfgtRfeNS3hyASA+K+iIceiUO7OtMzpIRWG+2ClvA50uJMU2fvMZyoSMxt/T+wki /K9t/57IgqruDMnNJWPZmKAmgAWrS/Q3C2Tuo1yh/zOctHAB+DaF3W0f7pswjCSD 7nLNzU/XiTXmLZfgWBMcyncoXsr4984XrJ698nHppg22vJiWQckwjFKJuRHp9PXE w44R+crlWwt+aROLgMHsaq+mespw7YuMEaHIcddzGBrKG6T5uCr2rVmnSQp+48Bz DK2S3/9/3Eyeiib6Jud89mMxGJ3Zr5bZWOa0lbJHLo/nBDWn+xbD6mxOGaVgGkkx tfeJMWUd+dvcHTI49qX8zgMXDZkenrzOjlkN8lAuwLZiRBBW9xQ= =KV+2 -----END PGP SIGNATURE-----
