Guido Günther writes:
> Thanks for having a look! I've added twisted-web to dla-needed.txt as
> well (Salvatore already updated data/CVE/list).
My conclusions (for wheezy-security) are that:
* Neither twisted or twisted-web actually have a vulnerability.
* It is possible applications that depe
On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> Salvatore Bonaccorso writes:
>
> > Hi,
> >
> > Just a quick comment on:
> >
> > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> >> I am inclined to say that no version of twisted, by itself, has this
> >> vulnerability. How
Hi,
On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
> and twisted/web/twcgi.py is in the upstream git repository for the
> twisted-12.0.0 tag.
>
> Oh, I see, it looks like the source was split up for the Debian
> p
Salvatore Bonaccorso writes:
> Hi,
>
> Just a quick comment on:
>
> On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
>> I am inclined to say that no version of twisted, by itself, has this
>> vulnerability. However like I said earlier it is possible that
>> applications that use twisted
Hi,
Just a quick comment on:
On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> I am inclined to say that no version of twisted, by itself, has this
> vulnerability. However like I said earlier it is possible that
> applications that use twisted have this vulnerability.
Looking at the
Free Ekanayaka writes:
> I had a quick look at the code too (both in wheezy and jessie), but I
> couldn't find the offending bits. Perhaps it'd be good to put together a
> small web server and see what happens when you pass the 'Proxy'
> header.
So I created the following code:
=== cut ===
from
Hi,
I had a quick look at the code too (both in wheezy and jessie), but I
couldn't find the offending bits. Perhaps it'd be good to put together a
small web server and see what happens when you pass the 'Proxy' header.
Free
On 5 August 2016 at 10:26, Brian May wrote:
> This security vulnerabil
This security vulnerability is described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1357345
as:
"sets environmental variable based on user supplied Proxy request
header"
In particular it is talking about HTTP_PROXY, and it only a problem if
the server makes an outgoing HTTP request using
Hello,
I'm going on vacation shortly, and likely won't have time to address the
bug timely enough. So unless Matthias has cycles to work on it, I'd say yes
go ahead please. Thanks
Free
On 28 July 2016 at 22:37, Thorsten Alteholz wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of twisted:
https://security-tracker.debian.org/tracker/CVE-2016-1000111
Would you like to take care of this yourself?
If yes, please follow the workflow we have de
10 matches
Mail list logo