-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: arm64 Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: arm Build Daemon (arm-arm-03) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 1ea10da52c34eebfd2d67df0b4000f52af99eb5c 65604 python-twisted-bin-dbg_18.9.0-3+deb10u1_arm64.deb 496d70dbb7cc441eb8517035df7096b5dde2ed32 23296 python-twisted-bin_18.9.0-3+deb10u1_arm64.deb 155a2777326e6fa868fa892d8c08657d12cef3ed 55852 python3-twisted-bin-dbg_18.9.0-3+deb10u1_arm64.deb 0f1343aecc7cd43d089671def9e9ff15627daaab 19676 python3-twisted-bin_18.9.0-3+deb10u1_arm64.deb 935f544d25d2fb6ea9304e91c4d055dd1880e33e 9302 twisted_18.9.0-3+deb10u1_arm64-buildd.buildinfo Checksums-Sha256: 31d295a1f9789c778fb81d981fb7fa4d6c7929fc46ac04613326ba70497d42a2 65604 python-twisted-bin-dbg_18.9.0-3+deb10u1_arm64.deb 57b569963163db4b493068f74b52fc7b460af4b7ba3462f4b9038a36581e4728 23296 python-twisted-bin_18.9.0-3+deb10u1_arm64.deb 7deaa7afd387160b70a6b101e633d406b03e5f50e7910cfaa72134e36fdeb9d0 55852 python3-twisted-bin-dbg_18.9.0-3+deb10u1_arm64.deb 947ad040123e6c26793dbc8c47a359a44622b88558661df2bcc061e2de2858d3 19676 python3-twisted-bin_18.9.0-3+deb10u1_arm64.deb 83c6f798088ae8138305a9f50556c7f2e6dde58a01d9cacce709f8ea074cd38f 9302 twisted_18.9.0-3+deb10u1_arm64-buildd.buildinfo Files: addc593ee483ea22212e297375f8a319 65604 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_arm64.deb f3104e5af32a6f73121833af2c782c1f 23296 python optional python-twisted-bin_18.9.0-3+deb10u1_arm64.deb 828ca2a777766ff8843fb52413119f6b 55852 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_arm64.deb f6caad5a5c7a8e8e914bc5d6dbac3d8b 19676 python optional python3-twisted-bin_18.9.0-3+deb10u1_arm64.deb 4c0c56a1f7f1ab41d8b33017e2862c58 9302 python optional twisted_18.9.0-3+deb10u1_arm64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEIS72tuB86Di4j06asDFrxdWCRVIFAmKAGu4ACgkQsDFrxdWC RVL/qQ/+P4hI/hz32ZnjYlzTVHsPOOCnQjai4W7fpSHms5KiLaWrFf/upH/LSMJf 0uP/HgwgITAEbSMjQ0VnFKUeISHYLQOcRhfME45/DGntJlRkCefhiR9BECxv9v5E UeIfN/imecxTJe2UuhirR8ikDI3V3uBw1ywf8UejbXM3xHvcL7p0a0flzdA/xjOF ganUGT276O/LDHqW2xuxazIrGfKKTX78pjnuhqTeEvg0vg8QvQuMJu8f9/agpwy/ zPJpSeNKUPZvL2SanlqVubeyl4l3ZbLCF1avkHRKCdpIqcup33G26c2cSh2DsU5b Ff39qWvz88ecn4luZzWY1hS9xqMA5Ln/gq2LsXQ5k7z3NoAUXnGc9RmzS6leRl3J FrbUMyPME9vhTa91IhAlc4yEDPoP8F1wPac+yVLoncdgMw8jcjUy2nXpLT8VIoJg 04nxrzky1tR0xxVkzt2N4ZMSMxNxzdjBWz4IRUZur+1Zdjs8KajjpVTw1EswJgTq /1BlziRgG7/h1o6MNE6oqYe0lom3rNIKaJAG31lSOgkqfLNrwfJ1W+yz+V8DY6D4 IJnnRmJATUcl52Gw/mHPZQfC4dIyiRYqTeKhfVuYEkf+ycwqeKD/JvJtesZy3ecO u0YnYnQ7MTksrVeXIhpJrdeaT782IhXPh6KmNFXK5tDBO3HHzrA= =JK/p -----END PGP SIGNATURE-----