-
twisted (17.9.0-2ubuntu0.3) bionic-security; urgency=medium
* SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie
and authorization headers when following cross origin redirects
- debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are
removed when forming requests, in src/twisted/web/client.py,
src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py.
- CVE-2022-21712
* SECURITY UPDATE: Parsing of SSH version identifier field during an SSH
handshake can result in a denial of service when excessively large packets
are received
- debian/patches/CVE-2022-21716-*.patch: Ensure that length of received
handshake buffer is checked, prior to processing version string in
src/twisted/conch/ssh/transport.py and
src/twisted/conch/test/test_transport.py
- CVE-2022-21716
-- Ray Veldkamp <email address hidden> Tue, 22 Mar 2022 22:03:56 +1100
-
twisted (17.9.0-2ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: incorrect URI and HTTP method validation
- debian/patches/CVE-2019-12387.patch: prevent CRLF injections in
src/twisted/web/_newclient.py, src/twisted/web/client.py,
src/twisted/web/test/injectionhelpers.py,
src/twisted/web/test/test_agent.py,
src/twisted/web/test/test_webclient.py.
- CVE-2019-12387
* SECURITY UPDATE: incorrect cert validation in XMPP support
- debian/patches/CVE-2019-12855-*.patch: upstream patches to implement
certificate checking.
- CVE-2019-12855
* SECURITY UPDATE: HTTP/2 denial of service issues
- debian/patches/CVE-2019-951x.patch: buffer outbound control frames
and timeout invalid clients in src/twisted/web/_http2.py,
src/twisted/web/error.py, src/twisted/web/http.py,
src/twisted/web/test/test_http.py,
src/twisted/web/test/test_http2.py.
- CVE-2019-9512
- CVE-2019-9514
- CVE-2019-9515
* SECURITY UPDATE: request smuggling attacks
- debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce
duplication in src/twisted/web/test/test_http.py.
- debian/patches/CVE-2020-1010x.patch: fix several request smuggling
attacks in src/twisted/web/http.py,
src/twisted/web/test/test_http.py.
- CVE-2020-10108
- CVE-2020-10109
-- Marc Deslauriers <email address hidden> Mon, 16 Mar 2020 13:24:46 -0400
-
twisted (17.9.0-2) unstable; urgency=medium
* Team upload.
[ Ondřej Nový ]
* d/control: Set Vcs-* to salsa.debian.org
* d/control: Deprecating priority extra as per policy 4.0.1
(closes: #687218)
* d/watch: Use https protocol
* d/changelog: Remove trailing whitespaces
* d/control: Remove trailing whitespaces
[ Colin Watson ]
* Fix conch MSG_DEBUG parsing on Python 2 (closes: #895374).
* Fix incorrect Homepage field (closes: #866642).
-- Colin Watson <email address hidden> Fri, 20 Apr 2018 23:55:26 +0100
-
twisted (17.9.0-1) unstable; urgency=medium
* New upstream release 17.9.0.
* Explicitly depend on python-automat/python3-automat (>= 0.6.0).
-- Matthias Klose <email address hidden> Tue, 26 Sep 2017 23:25:12 +0200
-
twisted (16.6.0-2ubuntu3) artful; urgency=medium
* No change rebuild to drop Python 3.5 support.
-- Michael Hudson-Doyle <email address hidden> Sat, 05 Aug 2017 21:29:38 +1200