-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: armhf Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: arm Build Daemon (arm-ubc-06) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 7f834ede0b9db3fd3bb70fad514a63f9b65bfa2c 66132 python-twisted-bin-dbg_18.9.0-3+deb10u1_armhf.deb 7c5c7d58c21fdf732abb0d5260af3860a184f2f0 22528 python-twisted-bin_18.9.0-3+deb10u1_armhf.deb f6752d17227f2cdd5c1b9d7f794491d141ecf523 54788 python3-twisted-bin-dbg_18.9.0-3+deb10u1_armhf.deb 14047779dcb2f321264aa1f6825cadc657bd9784 19412 python3-twisted-bin_18.9.0-3+deb10u1_armhf.deb f41f65dc62517e9e0c563176e49454d4d994e63a 9236 twisted_18.9.0-3+deb10u1_armhf-buildd.buildinfo Checksums-Sha256: e44a3cb7c8ccd8629790198a94df85c66b85b6316a57a3cd32ad11e257ee2ac5 66132 python-twisted-bin-dbg_18.9.0-3+deb10u1_armhf.deb 9559d3e167fefd7da4af68c2698fbde2dd3172492064e8cf23ae3187fd756836 22528 python-twisted-bin_18.9.0-3+deb10u1_armhf.deb 2c4819c79016cc69795991598f4891d541aa35b411b978b41f088b56da309f01 54788 python3-twisted-bin-dbg_18.9.0-3+deb10u1_armhf.deb 635b92bc9c657e2f5ce78d330089c016ca85b86092e75636aac920dd87eaaa1d 19412 python3-twisted-bin_18.9.0-3+deb10u1_armhf.deb ccaa635199d2c9cecf6f2dec677d1fc84474f6d696fa2657586ba1badaef07d1 9236 twisted_18.9.0-3+deb10u1_armhf-buildd.buildinfo Files: 129ea7cdec6c00a08efa7a9797ae30cd 66132 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_armhf.deb 42d7ff0d812ab457c0761fb5b8fb57a9 22528 python optional python-twisted-bin_18.9.0-3+deb10u1_armhf.deb 2bf7e2a0f04645533c7f8b252efb36b0 54788 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_armhf.deb a9afee075ab6e4ef0e71509fc4bc7bde 19412 python optional python3-twisted-bin_18.9.0-3+deb10u1_armhf.deb 6a5e4b7c2535f17fa32e0ad27473ca14 9236 python optional twisted_18.9.0-3+deb10u1_armhf-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6s8zdJc1COClWaF0coDKdhG/95QFAmJ/zpIACgkQcoDKdhG/ 95Q62g/+JCLwK/Yc3fC+N2FStY0AD5AyZKTSXoTlc/YKdJwnFtere4Fh2D7/507a 6NaBo3S/NaHOie+ZXXvTgqr+z0dk2QljAHpjY2bLfj3hrb2exmpnYo58drQi8SQl 76AotoFoN1tNDEmZWujkdKv8azlcTP9AQWHP/vwrD4jhQcCzuDd6ysT5mo8OcpAd YoJiPf1AwiuwmWKUBt/yjCJEptUiKROOrtd2wORxi/4FZMj5mzI3WpOHhxvX6OuD fWaqavIQRo8WJ56w85oyqfzLhcbwMOqbYpXPianFEsgzZN1s05Cgrik72R2FElIx eRUp2ariWbNk8S/5oIgniX9btp/IPvdTH5xmabarW1wDao6Opv1mVVr6HsWOjkuy ECNAHzRjkGpKUulcuxzgZp49N8I/whjOmD2A+tPPezKK7n2YjsGD9GFkjXyWQ4EZ teI57VTnLLYs+Kx/X9j8EtJcSQVbe6CU6QzXKu3rFnqS4ItZnKp8jIg5B0eBxYNX aF+oDv09qOo6eGhBLoXyDDNosJcsOstKJ3w26rwa/hc7reGMylNBGqPqtUEBlYQc Nb+2VBX8gQd2MNvj1eECRjOA/G3MPPnI8sCNXtVoyGfvlQR9GBP8AbPOjl4FGW80 dUbKKBf1Ff8j0sBfKTmODabVVCo+FP9q0PUc0Y9SkfHeE6y06LA= =2ZEI -----END PGP SIGNATURE-----