-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: mips64el Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: mips64el Build Daemon (mipsel-osuosl-02) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: f3971ceb6b98bf2d1a347cf14ced93edc4de4592 68768 python-twisted-bin-dbg_18.9.0-3+deb10u1_mips64el.deb 6c19db4b6d909eeaba5e96758b18ee3ea2afe011 23208 python-twisted-bin_18.9.0-3+deb10u1_mips64el.deb 51bdf31111772c1aa4bd685b96c4467efa800b72 56284 python3-twisted-bin-dbg_18.9.0-3+deb10u1_mips64el.deb 5e4bd8b29f30c4f7fe6fd3ac4a7141ab6b7f5d5e 19776 python3-twisted-bin_18.9.0-3+deb10u1_mips64el.deb e9a2165ff841832ba96c551cd96248a26aef0415 9235 twisted_18.9.0-3+deb10u1_mips64el-buildd.buildinfo Checksums-Sha256: 63f66a19d1cd12cf651be1e15ae6aa3612093dbc697cbecce52423c6777a3199 68768 python-twisted-bin-dbg_18.9.0-3+deb10u1_mips64el.deb 8705f7378c038c207bdf06d07d4dcaed3c5297fdcee1540a02ec25dfd1d5e0ae 23208 python-twisted-bin_18.9.0-3+deb10u1_mips64el.deb 23e1e08f93bbe6a276e5c8562c5953f3aab3538428bcd5b27743ca4d521bed7a 56284 python3-twisted-bin-dbg_18.9.0-3+deb10u1_mips64el.deb 98d0a5970f1c3b8aebf08ad9f4d9f80c0c1bff64ab15d39d133526654454e671 19776 python3-twisted-bin_18.9.0-3+deb10u1_mips64el.deb 29dbfa35a1b8a2f4c8e8b843a9a574c28763480673cc2396d40bc739341de41d 9235 twisted_18.9.0-3+deb10u1_mips64el-buildd.buildinfo Files: 2ce02055f9bd9a5daa83fb3a9bb15747 68768 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_mips64el.deb ff5fbd31f6c8577531bdd9a6451ab0be 23208 python optional python-twisted-bin_18.9.0-3+deb10u1_mips64el.deb 9011186093768b1341a9433359f19a64 56284 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_mips64el.deb becd96a3d63de81d697527614d88a3e4 19776 python optional python3-twisted-bin_18.9.0-3+deb10u1_mips64el.deb 0113ae73d7a867b7750fa11717b8b4bd 9235 python optional twisted_18.9.0-3+deb10u1_mips64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3MoVZ9ZwC61enleHma0LVKlb6LIFAmKAHOIACgkQma0LVKlb 6LL09w//YU9B5f4KMtVhfZwbJSG+2X1im75sgs0idqvm6Czkch5R2VKkizO/llKO euQrdx5+5GWcfc6DSo+PAhY2IcF1VIWaqR1RZLxZG/WKLbGb+/VCVJ6CBOVugr5a j80/P2wVSlYdoBnZZj5S9snEWI/hndgUPFeLdPA+LWKNY7njImgb7BEuAEV9V1cP yR+S3mPawFw6RMQlPaG2jsN8JLJ+vjj9dV+2XbVK6FEGbR/Qsy8Ypf+mbKtMSQDw UZcAWmyjbfMusAkB8r8kVo8A8Nbqoa75nTVOE5/XxFEID75HiA7AyJ242CarTRkI RewwHK8oMHjlkvO5XvCHMxtsgOF8ELLcIPesuzeOBe3s8oQ1X+oQxjMEBeELuFTG mWvJ3M6vCjkwDy2DZx3taq0IrjSfbXSCnvpAugNT2uY1ul+47UT6x6N79L+DVzOv jirqWdufeGnOsBLkUE7SYA1/UbZ2Op4LRCzCO/gvfsEHrrWRRzeKZbfPXKWwBgzh AqpZXv00nQqwSuKSHUgDTmhgumwkfIWX057QkK+qN+msuoS9MBsbfEUpE3I/9Itv TxzHym4gy1DrpCjUcuxtMGptaP71CCh3WTCNfsg7RoIP007NmHuw1z27fAnMiS5A ZcnNjbrrr+uLFUdWRBLwouvfDk5xd4Komr/1UZsRZQlE/yYmoAI= =pxSg -----END PGP SIGNATURE-----