[Python-modules-team] twisted_18.9.0-3+deb10u1_source.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

Debian FTP Masters ftpmaster at ftp-master.debian.org
Sat May 14 15:10:56 BST 2022 


Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 May 2022 10:01:06 -0400
Source: twisted
Architecture: source
Version: 18.9.0-3+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team at lists.alioth.debian.org>
Changed-By: Stefano Rivera <stefanor at debian.org>
Changes:
 twisted (18.9.0-3+deb10u1) buster; urgency=medium
 .
   * Team upload.
   * SECURITY UPDATE: incorrect URI and HTTP method validation
     - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in
       src/twisted/web/_newclient.py, src/twisted/web/client.py,
       src/twisted/web/test/injectionhelpers.py,
       src/twisted/web/test/test_agent.py,
       src/twisted/web/test/test_webclient.py.
     - CVE-2019-12387
     - Thanks Marc Deslauriers at Canonical for backporting the patches.
   * SECURITY UPDATE: incorrect cert validation in XMPP support
     - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement
       certificate checking.
     - CVE-2019-12855
     - Thanks Marc Deslauriers at Canonical for backporting the patches.
   * SECURITY UPDATE: HTTP/2 denial of service issues
     - debian/patches/CVE-2019-951x.patch: buffer outbound control frames
       and timeout invalid clients in src/twisted/web/_http2.py,
       src/twisted/web/error.py, src/twisted/web/http.py,
       src/twisted/web/test/test_http.py,
       src/twisted/web/test/test_http2.py.
     - CVE-2019-9511
     - CVE-2019-9514
     - CVE-2019-9515
     - Thanks Marc Deslauriers at Canonical for backporting the patches.
   * SECURITY UPDATE: request smuggling attacks
     - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce
       duplication in src/twisted/web/test/test_http.py.
     - debian/patches/CVE-2020-1010x.patch: fix several request smuggling
       attacks in src/twisted/web/http.py,
       src/twisted/web/test/test_http.py.
     - CVE-2020-10108
     - CVE-2020-10109
     - Thanks Marc Deslauriers at Canonical for backporting the patches.
   * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie
     and authorization headers when following cross origin redirects
     - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are
       removed when forming requests, in src/twisted/web/client.py,
       src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py.
     - CVE-2022-21712
     - Thanks Ray Veldkamp at Canonical for backporting the patches.
   * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH
     handshake can result in a denial of service when excessively large packets
     are received
     - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received
       handshake buffer is checked, prior to processing version string in
       src/twisted/conch/ssh/transport.py and
       src/twisted/conch/test/test_transport.py
     - CVE-2022-21716
     - Thanks Ray Veldkamp at Canonical for backporting the patches.
   * CVE-2022-24801: Correct several defects in HTTP request parsing that could
     permit HTTP request smuggling: disallow signed Content-Length headers,
     forbid illegal characters in chunked extensions, forbid 0x prefix to chunk
     lengths, and only strip space and horizontal tab from header values.
     - debian/patches/CVE-2022-24801-*.patch
   * Patch: remove spurious test for illegal whitespace in xmlns, to allow
     tests to pass, again.
Checksums-Sha1:
 56431e8271a6e27ed388e268e3a3dea4a2595359 3007 twisted_18.9.0-3+deb10u1.dsc
 9aa93aca05accd5a6d4afb6b91dc97716ddad6dc 52252 twisted_18.9.0-3+deb10u1.debian.tar.xz
 1f1e0057d4a1b29109ad5ae90eb056492081545f 6846 twisted_18.9.0-3+deb10u1_source.buildinfo
Checksums-Sha256:
 cfcdc1a6ff8c46407ba2c355db16b39e085391d1775f956401dae4b51844be5b 3007 twisted_18.9.0-3+deb10u1.dsc
 d8f9a768dc53473d396886ac967d3fb68493400da59d2efe02c52cad51be0602 52252 twisted_18.9.0-3+deb10u1.debian.tar.xz
 8bf49e7d9d828f4497709e16a810849a7b3ab7cf2e9d2e9eb5fb935b632ac743 6846 twisted_18.9.0-3+deb10u1_source.buildinfo
Files:
 9dfbe388fe5d053cff86d6a3e7097c5a 3007 python optional twisted_18.9.0-3+deb10u1.dsc
 25f4eda139fdec27d83d444403e477fd 52252 python optional twisted_18.9.0-3+deb10u1.debian.tar.xz
 734d9e7dfc1449d6fa5249480d12dc67 6846 python optional twisted_18.9.0-3+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYnPfnhQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2FHcAQCJCu9tAq0kJFuOegDI0GmqXFrccYA8
MfejCidFeGW/NQEAoNeraZZopzmfWuy0NJH87yLpM3iqjUZuol2gHFMX6AM=
=gtAt
-----END PGP SIGNATURE-----


Thank you for your contribution to Debian.

More information about the Python-modules-team mailing list