-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: armel Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: arm Build Daemon (arm-ubc-06) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 9babc9786e94828877b8b6ba99b548a1307ace3b 65908 python-twisted-bin-dbg_18.9.0-3+deb10u1_armel.deb eba8902a685db4c2dbe92d10ec57d8b909b4ae15 22648 python-twisted-bin_18.9.0-3+deb10u1_armel.deb 551915c1ae70619adede59dcc8ad3c45988eefba 54836 python3-twisted-bin-dbg_18.9.0-3+deb10u1_armel.deb d9203b4cca6c56cc01ed8283c8598079731d6a9d 19456 python3-twisted-bin_18.9.0-3+deb10u1_armel.deb b36c4f29e96bf91c72461a8e5533b496b9118df1 9234 twisted_18.9.0-3+deb10u1_armel-buildd.buildinfo Checksums-Sha256: 1861268b694a96fa7cb710c84fd7f91f6f872af5652af5bfe85aa596e3a90016 65908 python-twisted-bin-dbg_18.9.0-3+deb10u1_armel.deb 828188bcff665c19eab207e33e40a4e3339ea9e583972b4152d9a288af0d30b6 22648 python-twisted-bin_18.9.0-3+deb10u1_armel.deb 6fce9f69232171c08bf6c1d6491518def11ebaf1d1bfd2f77da9e5dab48b6320 54836 python3-twisted-bin-dbg_18.9.0-3+deb10u1_armel.deb ca31882063a1ecd85778e93204d6badf94ccfbf4c81995bbd902d20248948865 19456 python3-twisted-bin_18.9.0-3+deb10u1_armel.deb 0ecb7ca429ffaa3c3303ac3f24470c450f2d6a8b7a8e16219edc7d1c4e8f2fcc 9234 twisted_18.9.0-3+deb10u1_armel-buildd.buildinfo Files: 3751eb478d0c1947f39bbc3dcccc3fdb 65908 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_armel.deb 0d78149986b83c5e6d9f3308058b30f4 22648 python optional python-twisted-bin_18.9.0-3+deb10u1_armel.deb d0071580346b10c472644206b05390f6 54836 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_armel.deb 3c9e8aa4a8f590c6559f237b6b954818 19456 python optional python3-twisted-bin_18.9.0-3+deb10u1_armel.deb 2d4b5aab345e61292cffeefe124eb667 9234 python optional twisted_18.9.0-3+deb10u1_armel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6s8zdJc1COClWaF0coDKdhG/95QFAmJ/zVcACgkQcoDKdhG/ 95Tj6RAAiFme4uJCrtzgBc6kXKK74VJl3FjTrVgzZrjBYIidsodUeiDM5jP8WCbB cHh/PwgbkTvV4Ft0mm/zLMXRKUqXMd2SkCNGoQvB8CpqdRQmOym/p5+JILpjZOmO ATt1H6wjJlXlVLez8ObWi5qa5Es7kdMGQsimkXSw+UtwVNavKQRZoX5S/M8PHpUV geQfDz2ewoTPDc9k7UixTgGPosxVKq0Hc04b1FtqTqtlZpO6xO7VdEcls/oHQr8N xgn4Yb/hEHKPTkr6Rl8s0dyi5As1LxRDP3+b43RXfs3qA7HMWpkNhWXLGWwBkGzk +YuS7Y44eJSyxxPnxe4hZpWeLUTRO+J35T7ensdo8JtAlL/MjUITAYnwSWc2ES0E QkBJCm4XKrSfpRh3ZiiGNbpCTeklaAERo/C0P2AhEg1YOuQ7LBTsW5F2prWhTYFH NIy39zENl8OBXEUeJDVb90r9n2EdMpBdCJsWu2y1qWcW8cISUH6DNtR7AUySVyTe 7Is6BOllj25+n4ci4hi89jwBwNRUS8nIp8yzFqQrGzrxa01cV1Qn00HFDaYM7Wko G+v13CmKnPGGrUWjkf5f0VW8aJFC0N2CqRR/wCuoH+ttHAgIJ+gDC+bJvP0oI+b/ Ei3ov6Q677J3T/nHPadZefCBHZy1rUOU+cNtNa95iscimai1dgw= =7BHd -----END PGP SIGNATURE-----