diff -Nru twisted-18.9.0/debian/changelog twisted-18.9.0/debian/changelog --- twisted-18.9.0/debian/changelog 2022-03-21 10:13:42.000000000 +0000 +++ twisted-18.9.0/debian/changelog 2023-12-04 14:02:22.000000000 +0000 @@ -1,3 +1,15 @@ +twisted (18.9.0-11ubuntu0.20.04.3) focal-security; urgency=medium + + * SECURITY UPDATE: script injection via unescaped 404 response + - debian/patches/CVE-2022-39348.patch: fix NameVirtualHost HTML + injection vulnerability. + - CVE-2022-39348 + * SECURITY UPDATE: Disordered HTTP pipeline response in twisted.web + - debian/patches/CVE-2023-46137-*.patch: handle requests in raw mode. + - CVE-2023-46137 + + -- Marc Deslauriers Mon, 04 Dec 2023 09:02:22 -0500 + twisted (18.9.0-11ubuntu0.20.04.2) focal-security; urgency=medium * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie diff -Nru twisted-18.9.0/debian/patches/CVE-2022-39348.patch twisted-18.9.0/debian/patches/CVE-2022-39348.patch --- twisted-18.9.0/debian/patches/CVE-2022-39348.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2022-39348.patch 2023-12-04 14:02:22.000000000 +0000 @@ -0,0 +1,50 @@ +Description: fix NameVirtualHost HTML injection vulnerability +Origin: obtained from Debian's 18.9.0-3+deb10u2, thanks to Dominik George + +--- a/src/twisted/web/vhost.py ++++ b/src/twisted/web/vhost.py +@@ -8,6 +8,11 @@ + + from __future__ import division, absolute_import + ++try: ++ from html import escape as html_escape ++except ImportError: ++ from cgi import escape as html_escape ++ + # Twisted Imports + from twisted.python import roots + from twisted.web import resource +@@ -83,7 +88,7 @@ + else: + host = hostHeader.lower().split(b':', 1)[0] + return (self.hosts.get(host, self.default) +- or resource.NoResource("host %s not in vhost map" % repr(host))) ++ or resource.NoResource("host %s not in vhost map" % html_escape(repr(host)))) + + def render(self, request): + """Implementation of resource.Resource's render method. +--- a/src/twisted/web/test/test_vhost.py ++++ b/src/twisted/web/test/test_vhost.py +@@ -148,6 +148,21 @@ + return d + + ++ def test_renderWithHTMLHost(self): ++ """ ++ L{NameVirtualHost.render} doesn't echo unescaped HTML when present in ++ the I{Host} header. ++ """ ++ virtualHostResource = NameVirtualHost() ++ request = DummyRequest(['']) ++ request.requestHeaders.addRawHeader(b"host", b"example.com") ++ d = _render(virtualHostResource, request) ++ def cbRendered(ignored): ++ self.assertNotIn("", request.written) ++ d.addCallback(cbRendered) ++ return d ++ ++ + def test_getChild(self): + """ + L{NameVirtualHost.getChild} returns correct I{Resource} based off diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-01.patch twisted-18.9.0/debian/patches/CVE-2023-46137-01.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-01.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-01.patch 2023-12-04 13:58:29.000000000 +0000 @@ -0,0 +1,121 @@ +Backport of: + +From d87aababab668190d0b4c8e6c3c679d297d1efc2 Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Sun, 10 Sep 2023 22:36:38 -0700 +Subject: [PATCH 01/12] test & fix + +--- + src/twisted/web/http.py | 18 ++++++++------ + src/twisted/web/test/test_web.py | 41 +++++++++++++++++++++++++++++++- + 2 files changed, 51 insertions(+), 8 deletions(-) + +--- a/src/twisted/web/http.py ++++ b/src/twisted/web/http.py +@@ -2043,6 +2043,9 @@ class HTTPChannel(basic.LineReceiver, po + Called for each line from request until the end of headers when + it enters binary mode. + """ ++ assert ( ++ not self._handlingRequest ++ ), "when handling a request, we MUST be in raw mode to buffer the incoming data without parsing it" + self.resetTimeout() + + self._receivedHeaderSize += len(line) +@@ -2221,15 +2224,18 @@ class HTTPChannel(basic.LineReceiver, po + + self._handlingRequest = True + ++ # We go into raw mode here even though we will be receiving lines next ++ # in the protocol; however, this data will be buffered and then passed ++ # back to line mode in the setLineMode call in requestDone. ++ self.setRawMode() ++ + req = self.requests[-1] + req.requestReceived(command, path, version) + + +- def dataReceived(self, data): +- """ +- Data was received from the network. Process it. +- """ +- # If we're currently handling a request, buffer this data. ++ def rawDataReceived(self, data): ++ # If we're currently handling a request, we'll be in raw mode. Buffer ++ # any data. + if self._handlingRequest: + self._dataBuffer.append(data) + if ( +@@ -2243,10 +2249,7 @@ class HTTPChannel(basic.LineReceiver, po + # ready. See docstring for _optimisticEagerReadSize above. + self._networkProducer.pauseProducing() + return +- return basic.LineReceiver.dataReceived(self, data) +- + +- def rawDataReceived(self, data): + self.resetTimeout() + + try: +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -7,6 +7,7 @@ Tests for various parts of L{twisted.web + + import os + import zlib ++from typing import List + + from zope.interface import implementer + from zope.interface.verify import verifyObject +@@ -24,8 +25,9 @@ from twisted.web import iweb, http, erro + from twisted.web.test.requesthelper import DummyChannel, DummyRequest + from twisted.web.static import Data + from twisted.logger import globalLogPublisher, LogLevel +-from twisted.test.proto_helpers import EventLoggingObserver +- ++from twisted.test.proto_helpers import EventLoggingObserver, StringTransport ++from twisted.web.resource import Resource ++from twisted.web.server import NOT_DONE_YET, Request, Site + + class ResourceTests(unittest.TestCase): + def testListEntities(self): +@@ -1798,3 +1800,39 @@ class ExplicitHTTPFactoryReactor(unittes + from twisted.internet import reactor + factory = http.HTTPFactory() + self.assertIs(factory._reactor, reactor) ++ ++ ++class QueueResource(Resource): ++ isLeaf = True ++ ++ def __init__(self) -> None: ++ super().__init__() ++ self.queue: List[Request] = [] ++ ++ def render_GET(self, request: Request) -> int: ++ self.queue.append(request) ++ return NOT_DONE_YET ++ ++ ++class TestRFC9112Section932(unittest.TestCase): ++ """ ++ Verify that HTTP/1.1 request ordering is preserved. ++ """ ++ ++ def test_multipleRequestsInOneSegment(self) -> None: ++ """ ++ Twisted MUST NOT respond to a second HTTP/1.1 request while the first ++ is still pending. ++ """ ++ qr = QueueResource() ++ site = Site(qr) ++ proto = site.buildProtocol(None) ++ serverTransport = StringTransport() ++ proto.makeConnection(serverTransport) ++ proto.dataReceived( ++ b"GET /first HTTP/1.1\r\nHost: a\r\n\r\n" ++ b"GET /second HTTP/1.1\r\nHost: a\r\n\r\n" ++ ) ++ self.assertEqual(len(qr.queue), 1) ++ qr.queue[0].finish() ++ self.assertEqual(len(qr.queue), 2) diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-02.patch twisted-18.9.0/debian/patches/CVE-2023-46137-02.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-02.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-02.patch 2023-12-04 13:58:57.000000000 +0000 @@ -0,0 +1,24 @@ +From 7f5446a379dea065dff28be5957aa59d00ab7f7e Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Sun, 10 Sep 2023 23:08:46 -0700 +Subject: [PATCH 02/12] explain the change + +--- + src/twisted/web/newsfragments/11976.bugfix | 7 +++++++ + 1 file changed, 7 insertions(+) + create mode 100644 src/twisted/web/newsfragments/11976.bugfix + +diff --git a/src/twisted/web/newsfragments/11976.bugfix b/src/twisted/web/newsfragments/11976.bugfix +new file mode 100644 +index 00000000000..8ac292bef56 +--- /dev/null ++++ b/src/twisted/web/newsfragments/11976.bugfix +@@ -0,0 +1,7 @@ ++In Twisted 16.3.0, we changed twisted.web to stop dispatching HTTP/1.1 ++pipelined requests to application code. There was a bug in this change which ++still allowed clients which could send multiple full HTTP requests in a single ++TCP segment to trigger asynchronous processing of later requests, which could ++lead to out-of-order responses. This has now been corrected and twisted.web ++should never process a pipelined request over HTTP/1.1 until the previous ++request has fully completed. + diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-03.patch twisted-18.9.0/debian/patches/CVE-2023-46137-03.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-03.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-03.patch 2023-12-04 13:59:09.000000000 +0000 @@ -0,0 +1,24 @@ +From 7de50d6b704b774d7205645512517e428b7039ce Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Mon, 11 Sep 2023 08:34:19 -0700 +Subject: [PATCH 03/12] Update src/twisted/web/test/test_web.py + +Co-authored-by: Adi Roiban +--- + src/twisted/web/test/test_web.py | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -1803,6 +1803,11 @@ class ExplicitHTTPFactoryReactor(unittes + + + class QueueResource(Resource): ++ """ ++ Add all requests to an internal queue, ++ without responding to the requests. ++ You can access the requests from the queue and handle their response. ++ """ + isLeaf = True + + def __init__(self) -> None: diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-04.patch twisted-18.9.0/debian/patches/CVE-2023-46137-04.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-04.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-04.patch 2023-12-04 13:59:14.000000000 +0000 @@ -0,0 +1,24 @@ +From 36f8ff33e2385c35845b2745b8a89df1f06222f3 Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Mon, 11 Sep 2023 08:34:38 -0700 +Subject: [PATCH 04/12] Update src/twisted/web/test/test_web.py + +Co-authored-by: Adi Roiban +--- + src/twisted/web/test/test_web.py | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -1838,6 +1838,11 @@ class TestRFC9112Section932(unittest.Tes + b"GET /first HTTP/1.1\r\nHost: a\r\n\r\n" + b"GET /second HTTP/1.1\r\nHost: a\r\n\r\n" + ) ++ # The TCP data contains 2 requests, ++ # but only 1 request was dispatched, ++ # as the first request was not yet finalized. + self.assertEqual(len(qr.queue), 1) ++ # The first request is finalized and the ++ # second request is dispatched right away. + qr.queue[0].finish() + self.assertEqual(len(qr.queue), 2) diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-05.patch twisted-18.9.0/debian/patches/CVE-2023-46137-05.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-05.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-05.patch 2023-12-04 13:59:21.000000000 +0000 @@ -0,0 +1,21 @@ +From 731658108bbde2349a5ffc4550e602511b81167a Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Mon, 11 Sep 2023 08:34:52 -0700 +Subject: [PATCH 05/12] Update src/twisted/web/test/test_web.py + +Co-authored-by: Adi Roiban +--- + src/twisted/web/test/test_web.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -1812,7 +1812,7 @@ class QueueResource(Resource): + + def __init__(self) -> None: + super().__init__() +- self.queue: List[Request] = [] ++ self.dispatchedRequests: List[Request] = [] + + def render_GET(self, request: Request) -> int: + self.queue.append(request) diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-06.patch twisted-18.9.0/debian/patches/CVE-2023-46137-06.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-06.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-06.patch 2023-12-04 13:59:27.000000000 +0000 @@ -0,0 +1,21 @@ +From d6b875b58701495725967b2c58a2dd528c429762 Mon Sep 17 00:00:00 2001 +From: "pre-commit-ci[bot]" + <66853113+pre-commit-ci[bot]@users.noreply.github.com> +Date: Mon, 11 Sep 2023 15:35:57 +0000 +Subject: [PATCH 06/12] [pre-commit.ci] auto fixes from pre-commit.com hooks + +for more information, see https://pre-commit.ci +--- + src/twisted/web/test/test_web.py | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -1808,6 +1808,7 @@ class QueueResource(Resource): + without responding to the requests. + You can access the requests from the queue and handle their response. + """ ++ + isLeaf = True + + def __init__(self) -> None: diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-07.patch twisted-18.9.0/debian/patches/CVE-2023-46137-07.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-07.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-07.patch 2023-12-04 13:59:32.000000000 +0000 @@ -0,0 +1,32 @@ +From 4f6c8625a6354aa711e166b64dda15f8129b62d0 Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Mon, 11 Sep 2023 10:28:50 -0700 +Subject: [PATCH 07/12] change name to correspond with suggestion + +--- + src/twisted/web/test/test_web.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -1816,7 +1816,7 @@ class QueueResource(Resource): + self.dispatchedRequests: List[Request] = [] + + def render_GET(self, request: Request) -> int: +- self.queue.append(request) ++ self.dispatchedRequests.append(request) + return NOT_DONE_YET + + +@@ -1842,8 +1842,8 @@ class TestRFC9112Section932(unittest.Tes + # The TCP data contains 2 requests, + # but only 1 request was dispatched, + # as the first request was not yet finalized. +- self.assertEqual(len(qr.queue), 1) ++ self.assertEqual(len(qr.dispatchedRequests), 1) + # The first request is finalized and the + # second request is dispatched right away. +- qr.queue[0].finish() +- self.assertEqual(len(qr.queue), 2) ++ qr.dispatchedRequests[0].finish() ++ self.assertEqual(len(qr.dispatchedRequests), 2) diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-08.patch twisted-18.9.0/debian/patches/CVE-2023-46137-08.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-08.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-08.patch 2023-12-04 13:59:40.000000000 +0000 @@ -0,0 +1,45 @@ +From 70c46ba53c4e80570f0e61a4e7dda71f34c313cc Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Tue, 12 Sep 2023 10:09:47 -0700 +Subject: [PATCH 08/12] Update src/twisted/web/test/test_web.py + +Co-authored-by: Adi Roiban +--- + src/twisted/web/test/test_web.py | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -1847,3 +1847,32 @@ class TestRFC9112Section932(unittest.Tes + # second request is dispatched right away. + qr.dispatchedRequests[0].finish() + self.assertEqual(len(qr.dispatchedRequests), 2) ++ ++ def test_multipleRequestsInDifferentSegments(self) -> None: ++ """ ++ Twisted MUST NOT respond to a second HTTP/1.1 request while the first ++ is still pending, even if the second request is received in a separate ++ TCP package. ++ """ ++ qr = QueueResource() ++ site = Site(qr) ++ proto = site.buildProtocol(None) ++ serverTransport = StringTransport() ++ proto.makeConnection(serverTransport) ++ raw_data = ( ++ b"GET /first HTTP/1.1\r\nHost: a\r\n\r\n" ++ b"GET /second HTTP/1.1\r\nHost: a\r\n\r\n" ++ ) ++ # Just go byte by byte for the extreme case in which each byte is ++ # received in a separate TCP package. ++ for chunk in iterbytes(raw_data): ++ proto.dataReceived(chunk) ++ # The TCP data contains 2 requests, ++ # but only 1 request was dispatched, ++ # as the first request was not yet finalized. ++ self.assertEqual(len(qr.dispatchedRequests), 1) ++ # The first request is finalized and the ++ # second request is dispatched right away. ++ qr.dispatchedRequests[0].finish() ++ self.assertEqual(len(qr.dispatchedRequests), 2) ++ diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-09.patch twisted-18.9.0/debian/patches/CVE-2023-46137-09.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-09.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-09.patch 2023-12-04 13:59:46.000000000 +0000 @@ -0,0 +1,18 @@ +From 430c083f6ce1544f308a3d4ccfbb7f6db56f8492 Mon Sep 17 00:00:00 2001 +From: "pre-commit-ci[bot]" + <66853113+pre-commit-ci[bot]@users.noreply.github.com> +Date: Tue, 12 Sep 2023 17:11:04 +0000 +Subject: [PATCH 09/12] [pre-commit.ci] auto fixes from pre-commit.com hooks + +for more information, see https://pre-commit.ci +--- + src/twisted/web/test/test_web.py | 1 - + 1 file changed, 1 deletion(-) + +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -1875,4 +1875,3 @@ class TestRFC9112Section932(unittest.Tes + # second request is dispatched right away. + qr.dispatchedRequests[0].finish() + self.assertEqual(len(qr.dispatchedRequests), 2) +- diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-10.patch twisted-18.9.0/debian/patches/CVE-2023-46137-10.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-10.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-10.patch 2023-12-04 14:00:00.000000000 +0000 @@ -0,0 +1,46 @@ +From 159a6aa3a7f71dc4d96e4bf6c984793490b6734c Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Tue, 12 Sep 2023 10:14:46 -0700 +Subject: [PATCH 10/12] docstring explaining the logic, type annotation while + we're here + +--- + src/twisted/web/http.py | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +--- a/src/twisted/web/http.py ++++ b/src/twisted/web/http.py +@@ -2233,9 +2233,30 @@ class HTTPChannel(basic.LineReceiver, po + req.requestReceived(command, path, version) + + +- def rawDataReceived(self, data): +- # If we're currently handling a request, we'll be in raw mode. Buffer +- # any data. ++ def rawDataReceived(self, data: bytes) -> None: ++ """ ++ This is called when this HTTP/1.1 parser is in raw mode rather than ++ line mode. ++ ++ It may be in raw mode for one of two reasons: ++ ++ 1. All the headers of a request have been received and this ++ L{HTTPChannel} is currently receiving its body. ++ ++ 2. The full content of a request has been received and is currently ++ being processed asynchronously, and this L{HTTPChannel} is ++ buffering the data of all subsequent requests to be parsed ++ later. ++ ++ In the second state, the data will be played back later. ++ ++ @note: This isn't really a public API, and should be invoked only by ++ L{LineReceiver}'s line parsing logic. If you wish to drive an ++ L{HTTPChannel} from a custom data source, call C{dataReceived} on ++ it directly. ++ ++ @see: L{LineReceive.rawDataReceived} ++ """ + if self._handlingRequest: + self._dataBuffer.append(data) + if ( diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-11.patch twisted-18.9.0/debian/patches/CVE-2023-46137-11.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-11.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-11.patch 2023-12-04 14:01:15.000000000 +0000 @@ -0,0 +1,21 @@ +Backport of: + +From 14bd26f4c68bb2b82533f68b921f596595153170 Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Tue, 12 Sep 2023 10:29:41 -0700 +Subject: [PATCH 11/12] undefined name + +--- + src/twisted/web/test/test_web.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/twisted/web/test/test_web.py ++++ b/src/twisted/web/test/test_web.py +@@ -15,6 +15,7 @@ from zope.interface.verify import verify + from twisted.python import reflect, failure + from twisted.python.compat import unichr + from twisted.python.filepath import FilePath ++from twisted.python.compat import iterbytes + from twisted.trial import unittest + from twisted.internet import reactor, interfaces + from twisted.internet.address import IPv4Address, IPv6Address diff -Nru twisted-18.9.0/debian/patches/CVE-2023-46137-12.patch twisted-18.9.0/debian/patches/CVE-2023-46137-12.patch --- twisted-18.9.0/debian/patches/CVE-2023-46137-12.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2023-46137-12.patch 2023-12-04 14:01:28.000000000 +0000 @@ -0,0 +1,21 @@ +From 88be54dd0706457fe4db886ccc820ce0cdec00b1 Mon Sep 17 00:00:00 2001 +From: Glyph +Date: Tue, 12 Sep 2023 10:29:59 -0700 +Subject: [PATCH 12/12] remove assert + +--- + src/twisted/web/http.py | 3 --- + 1 file changed, 3 deletions(-) + +--- a/src/twisted/web/http.py ++++ b/src/twisted/web/http.py +@@ -2043,9 +2043,6 @@ class HTTPChannel(basic.LineReceiver, po + Called for each line from request until the end of headers when + it enters binary mode. + """ +- assert ( +- not self._handlingRequest +- ), "when handling a request, we MUST be in raw mode to buffer the incoming data without parsing it" + self.resetTimeout() + + self._receivedHeaderSize += len(line) diff -Nru twisted-18.9.0/debian/patches/series twisted-18.9.0/debian/patches/series --- twisted-18.9.0/debian/patches/series 2022-03-21 10:13:24.000000000 +0000 +++ twisted-18.9.0/debian/patches/series 2023-12-04 14:01:24.000000000 +0000 @@ -47,3 +47,16 @@ CVE-2022-21716-1.patch CVE-2022-21716-2.patch CVE-2022-21716-3.patch +CVE-2022-39348.patch +CVE-2023-46137-01.patch +CVE-2023-46137-02.patch +CVE-2023-46137-03.patch +CVE-2023-46137-04.patch +CVE-2023-46137-05.patch +CVE-2023-46137-06.patch +CVE-2023-46137-07.patch +CVE-2023-46137-08.patch +CVE-2023-46137-09.patch +CVE-2023-46137-10.patch +CVE-2023-46137-11.patch +CVE-2023-46137-12.patch