-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: ppc64el Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-unicamp-01) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 8d1111d30bbc6b923dce07e8f1cfd1b754f392fc 67020 python-twisted-bin-dbg_18.9.0-3+deb10u1_ppc64el.deb a613af0640e8be20bb6c3417cbb3a799aea623de 24160 python-twisted-bin_18.9.0-3+deb10u1_ppc64el.deb bf297c6cb3ea472ab1a5acbe4b0f7c7c9ad677b2 57276 python3-twisted-bin-dbg_18.9.0-3+deb10u1_ppc64el.deb 8286c7cb5197adf9f24c7df653b88c0121e2c31c 20376 python3-twisted-bin_18.9.0-3+deb10u1_ppc64el.deb d5514b872d26c2488e01ace1aec9468eb7250451 9361 twisted_18.9.0-3+deb10u1_ppc64el-buildd.buildinfo Checksums-Sha256: 2dbe32374c83359b9fcbbad8c3b3cc5823c1e1199ca1bc7a234bd94200a24c57 67020 python-twisted-bin-dbg_18.9.0-3+deb10u1_ppc64el.deb 440b869cfe5e7dc248f5c696c6bae48c5702df7d905d8c1ed1ba56a0cb36a089 24160 python-twisted-bin_18.9.0-3+deb10u1_ppc64el.deb f7db1a550507132de9349c2153bcef66fac46559ebe863111397e4d494830a79 57276 python3-twisted-bin-dbg_18.9.0-3+deb10u1_ppc64el.deb 111cb2bab3968d7af042f144d6c7d4189566ec11df58a18e4faa875c387012e4 20376 python3-twisted-bin_18.9.0-3+deb10u1_ppc64el.deb 402504978e24ce4294a8f2dcd2801143d3ba7f763871b31bfbd8941577aa43da 9361 twisted_18.9.0-3+deb10u1_ppc64el-buildd.buildinfo Files: 1e83aa843a8674506119ba02797532b6 67020 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_ppc64el.deb 8c804586ab73aa78788dce07ecf624e6 24160 python optional python-twisted-bin_18.9.0-3+deb10u1_ppc64el.deb 7962f7237272dc5effd3ad0ae314aa25 57276 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_ppc64el.deb 09c1ae95bfa3fd149f640a9af6a68057 20376 python optional python3-twisted-bin_18.9.0-3+deb10u1_ppc64el.deb 6667d37e0ef1ab0d9b3e7279844d95d0 9361 python optional twisted_18.9.0-3+deb10u1_ppc64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEM6ceAMELlsCX7atTQTdFj1F/eVQFAmJ/1zoACgkQQTdFj1F/ eVRLQQ//Xm+aQWQiF1foFGsxbFoPjNFNrkoqhgkol9SLH32/CFgH0Stck8ZkLVPh yit6+bVl0nmNAnu9YtR8MgEAJKjjpEIC8JXaus1O9G1QT8drvzPDX+LhnNOy/933 hObMUBBG5dtK50GKTFz5YDEF7GAwDK6QzXm66L1ju480v6TAlMg3tA00sta0gog+ aj4reTpw9lo/fLyetF8CeDwbDc/iDOPgmzfK/3OBPwItP2T5Zq75oG65NdT8y0XC urnTv9knfi7D9UIe7GoZbLQmEWdOT1hK0TDKzmdjzh2TO61TkkzHsCyYYdRvNVHY n3sFS028kgeCMFDervtXsgvSNiILq4JrUMllK64gR4a+nNUhEobqjWFbGqXMH8uR ovyGmoBA3TPxqGNbS8uJScCcY3fwvE3o33ysIYnj/mK+bIZvkHE049enoRirTU// 4gPgxBcHgH5Kq6icAn3ryVFssSTBqovMVJLlG+r4cW1RT1FYUGmkAvctzt3JS/r5 TNgDloStpN/3Y5F1Br/gAcSqfK2jhQEm0QOuIYq3AU0Xu6hPf88Tm4UZCyWARrwS B1NFiJnTeLbkT3tmkYTpbR5AK/AG5Y9Q33KPtoGEC0g6Bdc7zNAT/LAMBL9PU09f KZ+U8wbAI3cfMMFWyZLv2aWA1XP9aFkvqBVvMZjEG/qOLZ/lJko= =dNOR -----END PGP SIGNATURE-----