-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: amd64 Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 82583f1b5d1f924228d9e2b1e30df7507fadabff 66948 python-twisted-bin-dbg_18.9.0-3+deb10u1_amd64.deb 87e828a6972a75b1743f58021db77e215503fdf4 23724 python-twisted-bin_18.9.0-3+deb10u1_amd64.deb ffcef352722c09fb31263ccdcbab4a92fcb08653 56884 python3-twisted-bin-dbg_18.9.0-3+deb10u1_amd64.deb 8dea81c38be8744de1df21916335394acaef7905 20176 python3-twisted-bin_18.9.0-3+deb10u1_amd64.deb 33837d71e8eedfcbc870df6988173205ce6f48d2 9350 twisted_18.9.0-3+deb10u1_amd64-buildd.buildinfo Checksums-Sha256: b0549d0f26f6319dcada0ae0d6fb9a88ce98410f99bbcd69cd96ab6b54cb4725 66948 python-twisted-bin-dbg_18.9.0-3+deb10u1_amd64.deb 3f026114def5dfd4eb1a2c37888c778993b25bb753520268dccf63d78e6dec9d 23724 python-twisted-bin_18.9.0-3+deb10u1_amd64.deb 336e9547cfb9fc7359674da8d40ac90c23a96de7626ba18767286f7811ac34b7 56884 python3-twisted-bin-dbg_18.9.0-3+deb10u1_amd64.deb f5906dc09e2ce69a3c12fdc59c3bdcf39e62ff919188bbc6dfc4dbe294f53672 20176 python3-twisted-bin_18.9.0-3+deb10u1_amd64.deb 22b6620ab66ba353b5a69ca39339711e0d0ec7e6eb3b5a5d15446f7a6fc56ee4 9350 twisted_18.9.0-3+deb10u1_amd64-buildd.buildinfo Files: 65241b6124a905473e66964218d58ed6 66948 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_amd64.deb f2c37e7aecade6aedb8708f458665d59 23724 python optional python-twisted-bin_18.9.0-3+deb10u1_amd64.deb 76ab0c67b4bd125a818a78207193186a 56884 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_amd64.deb 983af572d26b1317621a23b167d3dbed 20176 python optional python3-twisted-bin_18.9.0-3+deb10u1_amd64.deb 4a8e48cb71032f4f296dd3ea1b03afec 9350 python optional twisted_18.9.0-3+deb10u1_amd64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE2q+i4qaoTi/nmbi10RfxDyMLhSIFAmKAGyAACgkQ0RfxDyML hSIzoQ/8C/II8QIXbnkTtnWeStl7BftWcQchkKvE/t7dgAVvtiFxkoCXb1QZhETn gQCXknqLGB7kjNzKHbPNc3GILB9K4tIgyWx4dZ3Ki17pBaSNW5Gxh5ri//BSvdpc AaPJia6533KV6DQBPYOGTnvuaN+gjNBW2QJPQbW73r6YrSh2IuWXxjZYZuQsAq5+ Zk/jknGfP75etC8eSrwheZDG8ssudpKZFvsGDPDGqbg3xW+TwSvp4Vok7v6rHHQ6 sNohO4Bfix1aAj+CKqV8smHfzp82BabumFcCS6ux07fA1558dU+WctNFQYhsD0pN +1TSLdN7lj8C4OAiU/o+FvSfqjbWTeLuqD9Vo0DmQazsHwDOuuhblEdOOp7FiKha dZT2YMWiDT70uCmKDqzOtote0NDSFqFga4+kiksVNeKQUfHSjYeGuzWuJOx/Iuvs G7WxVW0zWH45W5ncuYXggCeVt+/yoH80VSZYBAiaZ/NK9TudLAg5QQ6m3JBpbjTF 19PLA2Q58uY6pVVMifV7lSLeHYesuCcTSufU9qdV0fXzRuRL2iWSN7Mv7/pfw5ng IWW1TRcRKjBu5AKqlpVlAB8T/AMQS4RLRoAgcFvoDgybeGHQ0FFUg+G589EHm23U Ee+tEmSyHwEeesTsmkgZNxQ9HvrGCTAtHSawY/DO/J7FsDx4pHA= =IU7F -----END PGP SIGNATURE-----