-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: mipsel Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: mipsel Build Daemon (mipsel-manda-05) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: ffd477e04f14d0020f8df6150227ae9e64db4984 64208 python-twisted-bin-dbg_18.9.0-3+deb10u1_mipsel.deb 9beeca9417fe4d9095212026a67aa9d1a28e882f 23072 python-twisted-bin_18.9.0-3+deb10u1_mipsel.deb 9d5f6f5343314941d3d5f52de64e0b3767a7b043 53704 python3-twisted-bin-dbg_18.9.0-3+deb10u1_mipsel.deb b170ac6cd1deae2cda19cd48f6608fbc6dcdcff5 19720 python3-twisted-bin_18.9.0-3+deb10u1_mipsel.deb a547f07287e3396257e673326f96870b931281cd 9200 twisted_18.9.0-3+deb10u1_mipsel-buildd.buildinfo Checksums-Sha256: 6c40a34091b6bce977833ec6a89e6cb4c5949435aeb33d77cf7c6bf0cfbdfdfc 64208 python-twisted-bin-dbg_18.9.0-3+deb10u1_mipsel.deb b90846cf0af8e77f7ef274efc9910c7dd29acee8dce87b1965fc3b20d794b82b 23072 python-twisted-bin_18.9.0-3+deb10u1_mipsel.deb 2bc7a34fee6f14ce6d34e60924f60b141206426cebbb53ded1d99b037439b852 53704 python3-twisted-bin-dbg_18.9.0-3+deb10u1_mipsel.deb 7c6c9607673975860b18beb46c635d5394d9afe2f68985fe53427a46a75b890d 19720 python3-twisted-bin_18.9.0-3+deb10u1_mipsel.deb 3eef4bfce8848d4b6ae863e3b6f07f3792d8f6c16b90c3c0cc6cf5259d883367 9200 twisted_18.9.0-3+deb10u1_mipsel-buildd.buildinfo Files: 7261631ebd661ad799f7c2f68e4419ab 64208 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_mipsel.deb c0722ede0fe87a5712f12bea9f0b29b0 23072 python optional python-twisted-bin_18.9.0-3+deb10u1_mipsel.deb 60efff7d8e4f7854f5ede184bb91ecba 53704 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_mipsel.deb d905fa3aef2c9766f1f801980fe1c4d5 19720 python optional python3-twisted-bin_18.9.0-3+deb10u1_mipsel.deb 98f742e1b4ba6a93e7bea7b233932064 9200 python optional twisted_18.9.0-3+deb10u1_mipsel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEQ5dTuB/7AkreZZfGPYe+ogkxLY8FAmKAHAIACgkQPYe+ogkx LY98mRAAiBmn66iteK2XA9Zcq/10fDdyqzt5BX8BRQoQe8BhHcs2gp0DBkbH6Ew7 lyEZa7E2FEaN5aa6gvr2y1ZPcmF7/8R6JlBSyTxjbY/dwi/tWbjMl5rhSmVdB7YS zzyPKDmBLIzDO3QbLK5Q8+dlDfbOne4u7zLj0tYcH1KQb4EiJKKhDqmwF+2GrOQF EQNfwu6pCEg+VJ65ToIIoVkcAg4EEiavZzogdSGeyrz4gUiQ9K7dIATIRip+lhPy HJ3Pp6wXhzEqm9UTRXHdJKVSIE9VvCiP9yKvhS3B0K+RebnzU4IlcZTOSg9HLHH3 wSfAtJ6lUZW8oRh6dZM0sDs/+V18THzfW1WcWRaDj5X1FTUgcKKfDhMneHQtLzfY 6bi2Eab//p4s8W90mC8GK+dIn/pKI9h21nmIBvKxH0Zaj6ScmSFf+uS/xZrRxUNZ EcwUjhu3TQc9oB2/JdSysGEHOImwDD93tRI7gu3PZfGo0oxqSWE4M70DjwN+Ajcs jnli+2uM+ziRX42wamigjb2HczMmod+nlu68ksEvzJ865B/WjOg8X6/DkiJOiy6q DY1wbU+D3cY9kP4IpK2hEb6JWG67QtYXgPpbrR6gqUjPTohuklMKOdxwCTm8s6fA m3jzvwmht1S2tz6LsDH//aBVeFcLwsUpcxstgcyr2/89+/k4YUc= =RE9B -----END PGP SIGNATURE-----