-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: mips Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: mips Build Daemon (mips-aql-05) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 291bc841335da2c69b039f01d1b51f31c0bf3d4e 63892 python-twisted-bin-dbg_18.9.0-3+deb10u1_mips.deb 23d62597ab83cc6ae984f9a8221d5054c48e403e 22956 python-twisted-bin_18.9.0-3+deb10u1_mips.deb 94ba07e1724fcaf03d40bed3e1ca50720337faaf 53452 python3-twisted-bin-dbg_18.9.0-3+deb10u1_mips.deb bec7bfe531a1d8c75607856d1597757aa542065a 19640 python3-twisted-bin_18.9.0-3+deb10u1_mips.deb 12a0deb05954b475a72ad2cbe04eb072b7ed07c4 9170 twisted_18.9.0-3+deb10u1_mips-buildd.buildinfo Checksums-Sha256: c078322525094278b55394e64855c81e8800290e87446cf349aab17282891d9d 63892 python-twisted-bin-dbg_18.9.0-3+deb10u1_mips.deb 34d6152cae8948772bd5ded3984be0b1cdc1acda11e24905d5e2dddc33fb7053 22956 python-twisted-bin_18.9.0-3+deb10u1_mips.deb 4923c1a80a55731a6f4ca71cee1843aa26a0130df74a940114c0ce8def3d280a 53452 python3-twisted-bin-dbg_18.9.0-3+deb10u1_mips.deb ba593a654b7449a4233044417895ca0b4d28a766d698efe15175501ae6a70a77 19640 python3-twisted-bin_18.9.0-3+deb10u1_mips.deb 42907788534ecfa0b15c2ad3de822957ea72c412f60873cfe018498937df909b 9170 twisted_18.9.0-3+deb10u1_mips-buildd.buildinfo Files: 367d535cab4789f83723fedb99d745ab 63892 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_mips.deb 4636138452e37e3a94aa9a0d7ae2daf9 22956 python optional python-twisted-bin_18.9.0-3+deb10u1_mips.deb a87fb111af848ae242ce0e274ad8c2ea 53452 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_mips.deb 51b697b4897ac2e56f590e7e52ab226f 19640 python optional python3-twisted-bin_18.9.0-3+deb10u1_mips.deb 89546eb1bfa8b3ce1631ef7fcb545def 9170 python optional twisted_18.9.0-3+deb10u1_mips-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzEQcoLwiDQ9Ng/IWVwVr0WjfqMMFAmKAIv8ACgkQVwVr0Wjf qMNU6BAAyWjc6Kqsy2pm5Po066L3wJmiML4uwb3ac2r/2uge32kFFtwlCkPFKp/f fc/NBn9EerVANaslL7TwKw3lbmPqkg4Yq53bAYDLlwQdX44yhR2DNU25pfoA2w7V VjJMU6ZwrToHgFAVzMOOiXWFlyHKUJmEyqnGxpW3FYtzbg/UBd4lja3h4llUpoT9 ycyfJaWhesbxCgXa3fBP9mjIWqdJQqftrpKNSWFp3bZRS8/AoO4C6h3PsM8sao5a gNgM4op1XzPJzHXSGOLJFM1Jh3BlBicJwQ4D+8D/v8i9+TlKyO5K6GWfQCQQDIbv VOxCz9PhoS8BAfK1Td8vd1/RsrvvHMIwDaDe/0n5mRTZqlrjJU6UWiy44DV7OmQv nGWob3fKv5Q6CzYFsALayivMmmRppXmfStDfzs90+IdN41jaHxdOfchSJbt2O+qX DshJunfC7EihaLE/mA35p/2Zlm0dtDkJKL+UMjMG8dfzQ7Ed6gPE5QfcrCauHbZo U7c/lK9wX30LpPve1KIOxgiIGUb7t8E/t6HzAWXKUNOyl/WfXpKJupLgxTHbi3/K 8ouf4gnVMVohOR07ATrIreL2jI4ofEFXBDGargv/eDtcP9L+2a2iximj5ygJCm7u ibWm3ac03e1HC1SfboVyLRHq3i0Sm0PZhcCs6y6UAfyM1Ox/zrw= =d6oT -----END PGP SIGNATURE-----