Your message dated Mon, 23 Mar 2020 20:57:36 +0000 with message-id <e1jgu8e-000h1u...@fasolo.debian.org> and subject line Bug#953950: fixed in twisted 18.9.0-8 has caused the Debian Bug report #953950, regarding twisted: CVE-2020-10108 CVE-2020-10109 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 953950: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953950 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: twisted Version: 18.9.0-6 Severity: important Tags: security upstream Control: found -1 19.10.0~rc1-1 Control: found -1 18.9.0-3 Control: found -1 16.6.0-2 Hi, The following vulnerabilities were published for twisted. CVE-2020-10108[0]: | In Twisted Web through 19.10.0, there was an HTTP request splitting | vulnerability. When presented with two content-length headers, it | ignored the first header. When the second content-length value was set | to zero, the request body was interpreted as a pipelined request. CVE-2020-10109[1]: | In Twisted Web through 19.10.0, there was an HTTP request splitting | vulnerability. When presented with a content-length and a chunked | encoding header, the content-length took precedence and the remainder | of the request body was interpreted as a pipelined request. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-10108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108 [1] https://security-tracker.debian.org/tracker/CVE-2020-10109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10109 [2] https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: twisted Source-Version: 18.9.0-8 Done: Andrej Shadura <andre...@debian.org> We believe that the bug you reported is fixed in the latest version of twisted, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 953...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrej Shadura <andre...@debian.org> (supplier of updated twisted package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 23 Mar 2020 21:14:09 +0100 Source: twisted Architecture: source Version: 18.9.0-8 Distribution: unstable Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Andrej Shadura <andre...@debian.org> Closes: 930389 930626 948560 953950 Changes: twisted (18.9.0-8) unstable; urgency=high . * A no-change upload to set urgency to high since the upload fixes security issues. . twisted (18.9.0-7) unstable; urgency=medium . [ Marc Deslauriers ] * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Closes: #930389 * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Closes: #930626 * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Closes: #953950 . [ Emmanuel Arias ] * Add patch to fix SyntaxWarning (Closes: #948560). . [ Moritz Muehlenhoff ] * Remove Suggests on python-gtk2/python-glade2, which is being removed. Checksums-Sha1: 240d4f043a58ca6a557561a43364f61ff57324cd 3363 twisted_18.9.0-8.dsc 1919f66c3d525e6b0e94b07bf8a419c208d5270c 41776 twisted_18.9.0-8.debian.tar.xz Checksums-Sha256: 53083bd6a882bc1dc919b9fed4647c4d9d9356aea18cbdc5ec0de280dea09d3d 3363 twisted_18.9.0-8.dsc 820329295f00727ed2aed992adc841c13adf8d54425bfbb04a37941d344fc9ba 41776 twisted_18.9.0-8.debian.tar.xz Files: 03a3587d903c592ad422874ee88eb66d 3363 python optional twisted_18.9.0-8.dsc 1ada38febf5d794ac88ab24972d0fbf8 41776 python optional twisted_18.9.0-8.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl55GOcACgkQXkCM2RzY OdJcsQgAnxXh5rKU5z3CxC53cyEjWU13GejHoBpF2lod2N3e5TSC1mj1nSWkwNfU xx2ETlI2NJe6rhb7vc9AyiXSLsx/02WgIwECrD5YTGfSaYppC3KcbhZJt//OpZw0 dEsKraD3IP9hNhVCLVq8pgfkp4jXJvMqZscg+lh5ssEQFqx6ldRJ1/JLXcPa8m04 KI0pPmMbCtLwZeBDz7a7LNIeAYoLuQAKWXenDjOj8UXWcOadyV380FD3WvAZj2fo Pq9sreyNG9nwkniSEC7mDSYcUBYT60r3wH1A8Fcc+wYDsaoiLnW8ZetsBUemAtYw 2FoceS15SAQs6u78kflJ3AYzXt8MPw== =1zEz -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
