Your message dated Mon, 23 Mar 2020 20:57:36 +0000 with message-id <e1jgu8e-000h1e...@fasolo.debian.org> and subject line Bug#930389: fixed in twisted 18.9.0-8 has caused the Debian Bug report #930389, regarding twisted: CVE-2019-12387 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930389: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930389 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: twisted Version: 18.9.0-3 Severity: important Tags: security upstream Hi, The following vulnerability was published for twisted. CVE-2019-12387[0]: | In Twisted before 19.2.1, twisted.web did not validate or sanitize | URIs or HTTP methods, allowing an attacker to inject invalid | characters such as CRLF. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12387 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387 [1] https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 [2] Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: twisted Source-Version: 18.9.0-8 Done: Andrej Shadura <andre...@debian.org> We believe that the bug you reported is fixed in the latest version of twisted, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrej Shadura <andre...@debian.org> (supplier of updated twisted package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 23 Mar 2020 21:14:09 +0100 Source: twisted Architecture: source Version: 18.9.0-8 Distribution: unstable Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Andrej Shadura <andre...@debian.org> Closes: 930389 930626 948560 953950 Changes: twisted (18.9.0-8) unstable; urgency=high . * A no-change upload to set urgency to high since the upload fixes security issues. . twisted (18.9.0-7) unstable; urgency=medium . [ Marc Deslauriers ] * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Closes: #930389 * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Closes: #930626 * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Closes: #953950 . [ Emmanuel Arias ] * Add patch to fix SyntaxWarning (Closes: #948560). . [ Moritz Muehlenhoff ] * Remove Suggests on python-gtk2/python-glade2, which is being removed. Checksums-Sha1: 240d4f043a58ca6a557561a43364f61ff57324cd 3363 twisted_18.9.0-8.dsc 1919f66c3d525e6b0e94b07bf8a419c208d5270c 41776 twisted_18.9.0-8.debian.tar.xz Checksums-Sha256: 53083bd6a882bc1dc919b9fed4647c4d9d9356aea18cbdc5ec0de280dea09d3d 3363 twisted_18.9.0-8.dsc 820329295f00727ed2aed992adc841c13adf8d54425bfbb04a37941d344fc9ba 41776 twisted_18.9.0-8.debian.tar.xz Files: 03a3587d903c592ad422874ee88eb66d 3363 python optional twisted_18.9.0-8.dsc 1ada38febf5d794ac88ab24972d0fbf8 41776 python optional twisted_18.9.0-8.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl55GOcACgkQXkCM2RzY OdJcsQgAnxXh5rKU5z3CxC53cyEjWU13GejHoBpF2lod2N3e5TSC1mj1nSWkwNfU xx2ETlI2NJe6rhb7vc9AyiXSLsx/02WgIwECrD5YTGfSaYppC3KcbhZJt//OpZw0 dEsKraD3IP9hNhVCLVq8pgfkp4jXJvMqZscg+lh5ssEQFqx6ldRJ1/JLXcPa8m04 KI0pPmMbCtLwZeBDz7a7LNIeAYoLuQAKWXenDjOj8UXWcOadyV380FD3WvAZj2fo Pq9sreyNG9nwkniSEC7mDSYcUBYT60r3wH1A8Fcc+wYDsaoiLnW8ZetsBUemAtYw 2FoceS15SAQs6u78kflJ3AYzXt8MPw== =1zEz -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
