-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 10:01:06 -0400 Source: twisted Binary: python-twisted-bin python-twisted-bin-dbg python3-twisted-bin python3-twisted-bin-dbg Architecture: s390x Version: 18.9.0-3+deb10u1 Distribution: buster Urgency: medium Maintainer: s390x Build Daemon (zandonai) Changed-By: Stefano Rivera Description: python-twisted-bin - Event-based framework for internet applications python-twisted-bin-dbg - Event-based framework for internet applications (debug extension) python3-twisted-bin - Event-based framework for internet applications python3-twisted-bin-dbg - Event-based framework for internet applications (debug extension) Changes: twisted (18.9.0-3+deb10u1) buster; urgency=medium . * Team upload. * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Thanks Marc Deslauriers at Canonical for backporting the patches. * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 - Thanks Ray Veldkamp at Canonical for backporting the patches. * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 - Thanks Ray Veldkamp at Canonical for backporting the patches. * CVE-2022-24801: Correct several defects in HTTP request parsing that could permit HTTP request smuggling: disallow signed Content-Length headers, forbid illegal characters in chunked extensions, forbid 0x prefix to chunk lengths, and only strip space and horizontal tab from header values. - debian/patches/CVE-2022-24801-*.patch * Patch: remove spurious test for illegal whitespace in xmlns, to allow tests to pass, again. Checksums-Sha1: 213a691df7abd9f4296e0364937856ac5be9df83 68372 python-twisted-bin-dbg_18.9.0-3+deb10u1_s390x.deb 182a94611f3a105c7d62c27092ee9bb09acab949 23228 python-twisted-bin_18.9.0-3+deb10u1_s390x.deb d8db885cbad0dd1a81b9005d8f9dac17a4c48be5 55732 python3-twisted-bin-dbg_18.9.0-3+deb10u1_s390x.deb ad864f1c9f62852b8757b511297ca617e17191aa 19896 python3-twisted-bin_18.9.0-3+deb10u1_s390x.deb b5193947c07234c3767eaa5b79ee8e177b7038cf 9254 twisted_18.9.0-3+deb10u1_s390x-buildd.buildinfo Checksums-Sha256: b181939d9c6bd69d07e8b84f37fa7d53e0437777e55ca2d198adb3fdc91076b9 68372 python-twisted-bin-dbg_18.9.0-3+deb10u1_s390x.deb 6ae10cabaa80b8ae6ed877d1c0c1a6324268a96833c1d083eef4a12a8a315936 23228 python-twisted-bin_18.9.0-3+deb10u1_s390x.deb b246433f1a20949cc4e7cd11ca21070a727828d16cac138c449977445a1433cc 55732 python3-twisted-bin-dbg_18.9.0-3+deb10u1_s390x.deb 5ab413fd6e5bb7d72350ba6f95bf25304aba0540d31be114d6a8b91b166ba574 19896 python3-twisted-bin_18.9.0-3+deb10u1_s390x.deb 6e0126ac2776b6ac944a748cd175e494e8bbd5f4312b1858048652d28bba8188 9254 twisted_18.9.0-3+deb10u1_s390x-buildd.buildinfo Files: a84134da23118aa1590312a265701227 68372 debug optional python-twisted-bin-dbg_18.9.0-3+deb10u1_s390x.deb d8dc52c7ac7bc9928c65673233eee013 23228 python optional python-twisted-bin_18.9.0-3+deb10u1_s390x.deb b46e828e37b5d6bdc7a320c3708a8e9c 55732 debug optional python3-twisted-bin-dbg_18.9.0-3+deb10u1_s390x.deb e4eecb653568f7c4c9c6313bea5243f3 19896 python optional python3-twisted-bin_18.9.0-3+deb10u1_s390x.deb 3dd942fe4813b3f694b3c17da28d3ab3 9254 python optional twisted_18.9.0-3+deb10u1_s390x-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEEwflLi3dfm21PN8mA0zNy/MAOYMFAmJ/zo4ACgkQA0zNy/MA OYN8Kw//bOF0QGM6UzKTGWsoxh4PWP9rE0i/lyoDc8gr0QgVqpzhYkPjFt66JTS4 eUBrLQZVp5C1ID+eSfp2TxZXznBUK36WozN1enH8eISyA5Emr8adPs0xGYYW1A7Q H77etBoAVgyPW/DgyahCs4J9jMIX/oyvx1GDi2abVW5h1Ff11iGhNHuI4TRvVsZH ZbFbCDPPOdMdLJTDaY7WfOQH179LfWcwElMyOfvO3nNtdhSl46j5n84kLxJkkIHh Jr2e7WXUoBp23PYVN6yF4ajGutNf8i8qRQ4o5UpXcXXa7mhPO0JJgLXzABRGvwmA PvS6gAcrcZ0nPsJ4ttyBZFtuB5pP1kCtHUK4+d2uWBs26m1GW8fELHPi4eYX0lZ+ fMA84Svy5wb4MB3M2sWHOv/Jd2MfhWM5GmHmfU2cSHf/ZevNDRlP51tZ+VoGI18U GI+RFMae9PinjGm80qy5+eQVyik/bRTOFc93LKW8vQaaBu5amg4/RuO12bkkgxAd UW5M5WNrPzJcLi5W3erJSGQ/qQ1N26/T0Yu8vN1u5tOPUnEEOqQ4Jhd50AXi66qW 1H4Lovj2BlQYWq+5h/sB599A/ZQF8D1nkfQ+IVUZFs0TPI01PzykZWUcNa82HWlf 5w+hvNodW0ChyVmyFBD6mRa3nEsNJlVP4+ycSaYkvr+0r7VyHU8= =dHij -----END PGP SIGNATURE-----