Guido Günther writes:
> Thanks for having a look! I've added twisted-web to dla-needed.txt as
> well (Salvatore already updated data/CVE/list).
My conclusions (for wheezy-security) are that:
* Neither twisted or twisted-web actually have a vulnerability.
* It is possible
On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> Salvatore Bonaccorso writes:
>
> > Hi,
> >
> > Just a quick comment on:
> >
> > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> >> I am inclined to say that no version of twisted, by itself, has this
>
Hi,
On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
> and twisted/web/twcgi.py is in the upstream git repository for the
> twisted-12.0.0 tag.
>
> Oh, I see, it looks like the source was split up for the Debian
>
Salvatore Bonaccorso writes:
> Hi,
>
> Just a quick comment on:
>
> On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
>> I am inclined to say that no version of twisted, by itself, has this
>> vulnerability. However like I said earlier it is possible that
>>
Hi,
Just a quick comment on:
On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> I am inclined to say that no version of twisted, by itself, has this
> vulnerability. However like I said earlier it is possible that
> applications that use twisted have this vulnerability.
Looking at the
Free Ekanayaka writes:
> I had a quick look at the code too (both in wheezy and jessie), but I
> couldn't find the offending bits. Perhaps it'd be good to put together a
> small web server and see what happens when you pass the 'Proxy'
> header.
So I created the following
Hi,
I had a quick look at the code too (both in wheezy and jessie), but I
couldn't find the offending bits. Perhaps it'd be good to put together a
small web server and see what happens when you pass the 'Proxy' header.
Free
On 5 August 2016 at 10:26, Brian May wrote:
> This
This security vulnerability is described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1357345
as:
"sets environmental variable based on user supplied Proxy request
header"
In particular it is talking about HTTP_PROXY, and it only a problem if
the server makes an outgoing HTTP request
Hello,
I'm going on vacation shortly, and likely won't have time to address the
bug timely enough. So unless Matthias has cycles to work on it, I'd say yes
go ahead please. Thanks
Free
On 28 July 2016 at 22:37, Thorsten Alteholz wrote:
> Hello dear maintainer(s),
>
> the
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of twisted:
https://security-tracker.debian.org/tracker/CVE-2016-1000111
Would you like to take care of this yourself?
If yes, please follow the workflow we have
10 matches
Mail list logo