Your message dated Mon, 23 Mar 2020 20:57:24 +0000
with message-id <e1jgu8s-000gye...@fasolo.debian.org>
and subject line Bug#953950: fixed in twisted 18.9.0-7
has caused the Debian Bug report #953950,
regarding twisted: CVE-2020-10108 CVE-2020-10109
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
953950: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953950
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: twisted
Version: 18.9.0-6
Severity: important
Tags: security upstream
Control: found -1 19.10.0~rc1-1
Control: found -1 18.9.0-3
Control: found -1 16.6.0-2
Hi,
The following vulnerabilities were published for twisted.
CVE-2020-10108[0]:
| In Twisted Web through 19.10.0, there was an HTTP request splitting
| vulnerability. When presented with two content-length headers, it
| ignored the first header. When the second content-length value was set
| to zero, the request body was interpreted as a pipelined request.
CVE-2020-10109[1]:
| In Twisted Web through 19.10.0, there was an HTTP request splitting
| vulnerability. When presented with a content-length and a chunked
| encoding header, the content-length took precedence and the remainder
| of the request body was interpreted as a pipelined request.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-10108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108
[1] https://security-tracker.debian.org/tracker/CVE-2020-10109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10109
[2] https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: twisted
Source-Version: 18.9.0-7
Done: Andrej Shadura <andre...@debian.org>
We believe that the bug you reported is fixed in the latest version of
twisted, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 953...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <andre...@debian.org> (supplier of updated twisted package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 23 Mar 2020 20:49:21 +0100
Source: twisted
Architecture: source
Version: 18.9.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Andrej Shadura <andre...@debian.org>
Closes: 930389 930626 948560 953950
Changes:
twisted (18.9.0-7) unstable; urgency=medium
.
[ Marc Deslauriers ]
* SECURITY UPDATE: incorrect URI and HTTP method validation
- debian/patches/CVE-2019-12387.patch: prevent CRLF injections in
src/twisted/web/_newclient.py, src/twisted/web/client.py,
src/twisted/web/test/injectionhelpers.py,
src/twisted/web/test/test_agent.py,
src/twisted/web/test/test_webclient.py.
- CVE-2019-12387
- Closes: #930389
* SECURITY UPDATE: incorrect cert validation in XMPP support
- debian/patches/CVE-2019-12855-*.patch: upstream patches to implement
certificate checking.
- CVE-2019-12855
- Closes: #930626
* SECURITY UPDATE: HTTP/2 denial of service issues
- debian/patches/CVE-2019-951x.patch: buffer outbound control frames
and timeout invalid clients in src/twisted/web/_http2.py,
src/twisted/web/error.py, src/twisted/web/http.py,
src/twisted/web/test/test_http.py,
src/twisted/web/test/test_http2.py.
- CVE-2019-9511
- CVE-2019-9514
- CVE-2019-9515
* SECURITY UPDATE: request smuggling attacks
- debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce
duplication in src/twisted/web/test/test_http.py.
- debian/patches/CVE-2020-1010x.patch: fix several request smuggling
attacks in src/twisted/web/http.py,
src/twisted/web/test/test_http.py.
- CVE-2020-10108
- CVE-2020-10109
- Closes: #953950
.
[ Emmanuel Arias ]
* Add patch to fix SyntaxWarning (Closes: #948560).
Checksums-Sha1:
3c43921a889a3b58ff635de0d4380641452a2d18 3363 twisted_18.9.0-7.dsc
7e45bebe2aa6dccd1fcdcc3b5d93a21a1395adee 41712 twisted_18.9.0-7.debian.tar.xz
Checksums-Sha256:
b97af62d2b050c3702f88e603ae488d45618bc3a389ffb0bc8099fb52752d90b 3363
twisted_18.9.0-7.dsc
fb428c0256ff81fc2e03815e511151a4c6f1fac7c4330b12388e7a466acdb13d 41712
twisted_18.9.0-7.debian.tar.xz
Files:
09212cffe8e7d2f6acabc567fe2fac02 3363 python optional twisted_18.9.0-7.dsc
1284d646560c4ca87c8979f893d02859 41712 python optional
twisted_18.9.0-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl55EvkACgkQXkCM2RzY
OdKz7Af/Rrni523VhMNJP7r2XieyoYcBDG7wflZQZxvn7xa8N2ZBKmjCsiJRCOEf
9mKMWD/MqkiG7SejeCg9y0F2xWNGEjDuFfpoxoRoCsmyesNfMZS6Cs46wvOZ8kIe
KNAmsTbsU9JJ/KtiJRAgi0dL3zKyI/ir+t3w3TaA1jzO1l563+o3ugP84YwEl13R
gOG/YhkKw1lCalgtm5gBJizXYXno2sA8Ho97GIqCT/mnzwcw/Bz9wglAwpoiiZ11
+YLOzwvcYoXO9iXa3Vm++Jrov/3JWFG86KlSTa5N5+pXej87N1le/UpF5MokWrYA
rCu9SPcPi5uIZC3qeOEEPOic5b3x3A==
=wT0s
-----END PGP SIGNATURE-----
--- End Message ---