-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: i386 Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 4fdf729d816501bfde508913f9a243d44ce7c840 64216 python-twisted-bin-dbg_18.9.0-3+deb10u1_i386.deb b46c6c183ee91fd1821c25e43eed218a97538abe 23964 python-twisted-bin_18.9.0-3+deb10u1_i386.deb 83c86e3c6add46fa94b19e9c9c2dad9f408124ad 54748 python3-twisted-bin-dbg_18.9.0-3+deb10u1_i386.deb 01e187ad119264848f98c8f8b5a9f7bc232d4828 20316 python3-twisted-bin_18.9.0-3+deb10u1_i386.deb 640e346e991a7eaf07c1289d451fde25e1ba2ffd 9288 twisted_18.9.0-3+deb10u1_i386-buildd.buildinfo Checksums-Sha256: 45cae909fca77bae2b8b14bb779c9fa6ae71c02e5e1ba177fef7cef440ebe1e1 64216 python-twisted-bin-dbg_18.9.0-3+deb10u1_i386.deb 529c0da1faf211b3f76f842abecbc1cef8adb9f8fb6fb6c27d088dc92fda2e13 23964 python-twisted-bin_18.9.0-3+deb10u1_i386.deb 882dea0d8f2c990b034c43fbcea2b0354fdcabbc41088a580d2adbb7f23dcb16 54748 python3-twisted-bin-dbg_18.9.0-3+deb10u1_i386.deb 9d190170aea45137920a4b9dd9bf68cb617293538b9e60655724f81c72a60fd1 20316 python3-twisted-bin_18.9.0-3+deb10u1_i386.deb 0c8977ffe290980af430536c57d2c994e1cc658ee3b413de34797c60398df64d 9288 twisted_18.9.0-3+deb10u1_i386-buildd.buildinfo Files: 34bc74cf851aa951b9d1b2d812b7bd16 64216 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_i386.deb 0a4f8aaf3e12d54f70abeebafe67612d 23964 python optional python-twisted-bin_18.9.0-3+deb10u1_i386.deb 472573a011110722554b8ebb885a4ebb 54748 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_i386.deb 859321aa9f41c3fc2f241b995e5d349b 20316 python optional python3-twisted-bin_18.9.0-3+deb10u1_i386.deb 5b8b7ae2e502234320795dd9a579dcbe 9288 python optional twisted_18.9.0-3+deb10u1_i386-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE2q+i4qaoTi/nmbi10RfxDyMLhSIFAmKAGsAACgkQ0RfxDyML hSI/9Q/8Cs2gH7x0Wr04SYFnpeysbzJoI7mphZgyEmfgR/kRIyo1u+uOvctJxuk1 UPDWHmrm0rccxq4VnQ8NSoDo9XMUadH/HFbDCzHjryL5xjX7WPkyg3YXgE+cd0v+ 9xDSyJkfvPbBcGGpCMOnFK+99jDcUH/w1f4Ufzriw2FGkWn2OR65cvHUqzo3Lzv0 NQNW5BQGEV3hFzz0n33WnHnKDAwAbsVneRIxZmHTT9UY0NGa/PwjIxb69TPMcRcM SOs9gjrgHAmt86obKivzEf4R47QPVmFsbksZAACVwbqO7bLxt8BN2KTP4UISCaQo mc2rNVCpveXRDd5/iB64PWuFDcc28UkGDpW8ix5JKHNExAnvZnaHCH+Nne6NhFRT xlJ1CeaTIw+c0RJPZu3yZC9tQDM7agFqoAlith/bqTEiOwE45u0DT1znZF0YNdAW 3XywmRoH352QQOxxiPygvQ6f+ueQfe24ltUxKA2THytDj1SyejzpX1i9K/PG5bP6 H4s33pMq6iv0nsR5qgccoSProdU/Q4KRa0IkSJ/YcktRn6x6D67WgzGBJWE6c+d5 MI2B3RaeIAAEK3M1fBxpt7mPCmFvUnjykSPyO5mdiziVE09ro7PwMPBYcW9hgLBR 0kDv0TWz+bKFDwQ53gs3xE//IO0QW4WZ0T53aF4l42KQnGSbALM= =HH6p -----END PGP SIGNATURE-----