Re: Wheezy update of twisted?

Guido Günther writes: > Thanks for having a look! I've added twisted-web to dla-needed.txt as > well (Salvatore already updated data/CVE/list). My conclusions (for wheezy-security) are that: * Neither twisted or twisted-web actually have a vulnerability. * It is possible

Re: Wheezy update of twisted?

On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote: > Salvatore Bonaccorso writes: > > > Hi, > > > > Just a quick comment on: > > > > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: > >> I am inclined to say that no version of twisted, by itself, has this >

Re: Wheezy update of twisted?

Hi, On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote: > But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old - > and twisted/web/twcgi.py is in the upstream git repository for the > twisted-12.0.0 tag. > > Oh, I see, it looks like the source was split up for the Debian >

Re: Wheezy update of twisted?

Salvatore Bonaccorso writes: > Hi, > > Just a quick comment on: > > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: >> I am inclined to say that no version of twisted, by itself, has this >> vulnerability. However like I said earlier it is possible that >>

Re: Wheezy update of twisted?

Hi, Just a quick comment on: On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: > I am inclined to say that no version of twisted, by itself, has this > vulnerability. However like I said earlier it is possible that > applications that use twisted have this vulnerability. Looking at the

Re: Wheezy update of twisted?

Free Ekanayaka writes: > I had a quick look at the code too (both in wheezy and jessie), but I > couldn't find the offending bits. Perhaps it'd be good to put together a > small web server and see what happens when you pass the 'Proxy' > header. So I created the following

Re: Wheezy update of twisted?

Hi, I had a quick look at the code too (both in wheezy and jessie), but I couldn't find the offending bits. Perhaps it'd be good to put together a small web server and see what happens when you pass the 'Proxy' header. Free On 5 August 2016 at 10:26, Brian May wrote: > This

Re: Wheezy update of twisted?

This security vulnerability is described here: https://bugzilla.redhat.com/show_bug.cgi?id=1357345 as: "sets environmental variable based on user supplied Proxy request header" In particular it is talking about HTTP_PROXY, and it only a problem if the server makes an outgoing HTTP request

Re: Wheezy update of twisted?

Hello, I'm going on vacation shortly, and likely won't have time to address the bug timely enough. So unless Matthias has cycles to work on it, I'd say yes go ahead please. Thanks Free On 28 July 2016 at 22:37, Thorsten Alteholz wrote: > Hello dear maintainer(s), > > the

Wheezy update of twisted?

Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of twisted: https://security-tracker.debian.org/tracker/CVE-2016-1000111 Would you like to take care of this yourself? If yes, please follow the workflow we have